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1  Introduction 


A  discrete  event  system  is  a  system  in  which  events  occur  instantaneously,  causing  a  discrete  change 
in  the  system  state.  Examples  of  such  systems  are  telephone  networks,  communication  protocols,  and 
manufacturing  systems.  In  certain  cases,  automatic  control  can  be  applied  to  these  systems  by  the 
enabling  and  disabling  of  particular  system  events.  The  supervisory  control  framework  of  Ramadge  and 
Wonham  [2,  3]  was  developed  as  a  theory  for  the  synthesis  of  a  controller  that  ensures  the  system  has 
a  desirable  closed  loop  behavior. 

Most  research  in  this  field  has  concentrated  on  the  logical  sequencing  of  events,  and  abstracted  away 
the  actual  timing  delays  between  events.  The  correct  behavior  of  hard  real-time  systems  depends  on  the 
actual  delay  values  between  events.  For  example,  in  manufacturing  systems,  processing  must  mostly  be 
achieved  within  certain  time  windows  if  it  is  to  be  acceptable.  The  automation  of  transport  systems, 
such  as  railway  and  flight  control,  depends  critically  on  reaction  times.  Most  computer  networks  demand 
a  maximal  response  time.  In  this  paper,  we  extend  the  basic  theory  to  a  supervisory  control  theory  for 
timed  execution  sequences. 

The  major  challenge  is  to  integrate  time  explicitly  in  a  formalism  suited  for  specification  and  syn¬ 
thesis.  Two  approaches  have  been  considered  previously.  Discrete-time  has  been  modeled  by  Brave  and 
Heymann  [4]  and  Golaszewski  and  Ramadge  [5].  Here  the  domain  of  integers  is  used  to  model  time. 
These  models  specify  a  priori  the  smallest  measurable  time  unit.  It  is  assumed  this  time  quantum 
is  sufficiently  small  for  an  accurate  representation  of  system  behavior.  The  fictitious  clock  approach 
includes  an  explicit  tick  transition  making  time  a  global  state  variable  [6,  7].  Each  tick  increments  time 
by  some  predetermined  time  quantum.  In  this  model,  events  between  the  i-th  and  (i+l)-th  clock  ticks 
are  assumed  to  occur  at  some  unspecified  time  between  time  i  and  *  +  1.  Thus  it  is  impossible  to  know 
the  exact  time  delay  between  any  two  events.  The  model  can  be  interpreted  as  an  approximation  to 
real-time,  where  events  between  time  i  and  i  4-  1  have  their  occurrence  times  truncated  to  i. 

In  this  paper  we  use  timed  traces  defined  over  a  dense  domain  of  time.  An  exact  occurrence  time 
is  associated  with  each  event  [8,  9,  10,  11].  This  way  of  representing  real-time  behavior  seems  most 
natural  to  the  authors,  as  it  imposes  a  minimal  set  of  restrictions  on  the  modeling  framework.  Events 
may  occur  arbitrarily  close  to  one  another  and  their  timing  information  is  modeled  exactly.  We  reiterate 
from  [12]  four  strong  reasons  why  a  dense  model  of  time  is  appropriate.  A  dense  model  of  time  is  needed 
for  correctness.  Alur  gives  an  example  of  an  asynchronous  circuit  subject  to  bounded  inertial  delays, 
where  fixing  in  advance  the  time  quantum  for  the  discrete-time  and  fictitious  clock  models  gives  an 
incorrect  reachability  analysis.  The  dense-time  model  is  more  expressive  than  the  others.  Composition 
of  processes  is  straightforward  in  the  dense- time  model.  For  the  other  two  models  however,  prior 
knowledge  of  the  time  quantum  of  other  processes  is  required  for  accurate  composition.  Finally  some 
important  problems  for  finite-state  systems  have  the  same  complexity  using  a  dense-time  model  as  for 
the  other  models.  Indeed  this  turns  out  to  be  the  case  for  the  supervisory  control  problem  for  the 
finite-state  timed  systems  studied  here. 

We  use  Alur  and  Dill’s  timed  automata  to  describe  the  behavior  of  finite-state  timed  discrete  event 
systems.  These  automata  are  interpreted  over  the  domain  of  real  numbers.  They  are  well-suited  for 
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expressing  timing  constraints  over  concurrent  systems,  because  they  can  express  independent  timing 
conditions  on  each  system  component.  Any  finite  number  of  system  timers  can  be  accommodated. 
Although  not  done  here,  they  may  also  be  interpreted  over  a  discrete  time  domain. 

Besides  using  a  different  time  model,  the  related  models  mentioned  above  have  various  other  draw¬ 
backs.  Brave  and  Heymann  [4],  and  Golaszewski  and  Ramadge  [5],  who  use  a  discrete  model  of  time, 
are  restricted  to  the  use  of  only  a  single  system  timer.  This  prohibits,  for  instance,  even  very  simple 
composition  of  timed  processes.  Ostroff  and  Wonham  [7,  13]  use  a  fictitious  clock  model.  Their  real-time 
systems  are  not  necessarily  finite-state,  and  so  they  are  unable  to  give  synthesis  algorithms  for  their 
model.  They  suggest  instead  a  sound  but  incomplete  methodology. 

The  motivation  in  examining  infinite  executions  is  to  model  nonterminating  processes,  and  reason 
about  the  limiting  behavior  of  a  system,  such  as  the  fair  composition  of  concurrent  components.  Various 
researchers  have  considered  supervisory  control  over  infinite  strings  [14,  15,  16,  17]. 

We  give  necessary  and  sufficient  conditions  for  the  existence  of  a  controller  in  the  case  of  both  finite 
and  infinite  timed  traces.  We  show  that  in  certain  cases  it  is  possible  to  find  automatically  a  finite- 
state  supervisor  for  the  supremal  controllable  sublanguage  of  a  given  timed  behavior.  The  synthesis 
procedures  build  on  untiming  the  timed  automata  and  reducing  a  timed  supervisory  control  problem  to 
an  untimed  problem.  The  latter  can  then  be  solved  using  the  standard,  untimed  techniques. 

The  rest  of  this  paper  is  organized  as  follows.  In  Section  2,  we  provide  some  basic  definitions  for 
untimed  languages  and  automata.  Section  3  is  mainly  a  review  of  familiar  results  from  supervisory 
control  theory.  Timed  traces  are  introduced  in  Section  4.  The  next  two  sections  (5  and  6)  outline  how 
supervisory  control  theory  can  be  extended  first  to  languages  of  finite  timed  executions,  and  then  to 
languages  of  infinite  timed  executions.  A  timed  supervisory  control  problem  is  formulated.  Section  7 
describes  a  form  of  timed  automata  that  can  be  used  to  model  timed  languages.  Section  8  explains  how 
timed  languages  can  be  transformed  into  equivalent  untimed  languages.  The  following  section  uses  this 
untiming  transformation  to  convert  the  timed  supervisory  control  problem  into  an  untimed  supervisory 
control  problem.  In  Section  9,  algorithms  are  provided  for  controller  synthesis  from  automata  speci¬ 
fications.  Finally  we  provide  two  illustrative  examples  in  Section  10,  and  offer  concluding  remarks  in 
Section  11. 

The  characterization  of  the  infinite  trace  problem  in  terms  of  finite  traces  for  both  the  timed  and 
untimed  case  under  a  closedness  assumption  for  the  specification  can  be  found  in  Appendix  B. 

2  Preliminaries 

Let  E  be  a  finite  alphabet  of  symbols.  Let  E*  denote  the  set  of  all  finite  sequences  over  E,  and  E^  the 
set  of  all  ^-sequences  over  E.  We  abbreviate  E*  U  Ew  by  E00.  We  use  len(s)  to  denote  the  length  of 
s;  if  s  £  E",  then  len(s)  =  w.  For  an  element  s  £  E00,  we  let  «,*  denote  its  component  at  the  (i+l)-th 
position,  if  0  <  i  <  len(s).  The  symbol  A  denotes  the  empty  string.  A  language  L  over  E  is  any  subset 
of  E°°.  It  is  a  language  of  finite  (infinite)  strings  if  it  is  a  subset  of  E*  (E^).  The  concatenation  of  a 
string  s  £  E*  with  the  symbol  a  £  E  is  represented  by  the  string  s.cr  £  E*. 

A  finite  string  t  £  E*  is  a  prefix  of  s  if  len(t)  <  len(s)  and  U  =  s*  for  0  <  i  <  len(t).  Let  pr(L) 
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denote  the  set  of  prefixes  of  L.  Suppose  L  and  K  are  languages  of  finite  strings.  We  say  L  is  prefix-closed 
if  L  =  pr(L).  The  language  K  is  L-closed  if  pr(K)  fU  =  K.  If  K  C  7,  it  suffices  that  pr(K )  n  L  C  K 
for  K  to  be  L-closed.  The  limit  of  7,  denoted  7  00 ,  is  the  set  of  all  infinite  strings  with  infinitely  many 
prefixes  in  7.  For  languages  B  and  S  of  infinite  traces,  B  is  closed  relative  to  S  if  pr(B)°°  n  S  =  B. 
Notice  that  when  B  C  S,  it  is  true  that  B  C  pr(B)°°  fl  S,  and  hence  that  B  is  closed  relative  to  5  if 
and  only  if  pr(2?)°°  fl  S  C  B. 

A  transition  table  T  is  a  tuple  (E,  Q ,  6,  7),  where  E  is  a  finite  alphabet  of  transition  symbols,  Q  is 
a  finite  set  of  automaton  states,  and  6  :  Q  x  E  2^  is  a  partial  transition  function  mapping  a  state 
and  a  transition  symbol  to  a  set  of  states.  If  q '  is  in  6(q ,  <r),  then  it  is  possible  to  move  from  state  q  to 
qf  accepting  the  symbol  <r.  I  C  Q  is  a  set  of  initial  states.  The  transition  table  is  deterministic  if  its 
transition  function  is  deterministic,  i.e.  there  exists  only  one  initial  state,  i.e.  if  the  set  7  is  a  singleton 
{go}  for  some  q0  E  Q,  and  for  every  q  and  cr,  if  5(g,<r)  is  defined  it  is  is  a  singleton.  A  run  of  T  on  the 
string  $  E  E*  is  a  sequence  q  of  states  such  that  q0  is  in  7,  gt+i  is  in  6(qi,Si)  for  0  <  i  <  len(s).  The 
sequence  q  has  length  len(s)  +  1  if  len(s)  is  finite,  and  length  w  otherwise. 

A  (regular)  automaton  A  is  a  tuple  <E,  Q,  <5, 7,  F),  where  E,  Q,  6 ,  and  I  form  a  transition  table,  and 
F  C  Q  is  a  set  of  final  states.  A  string  s  is  accepted  by  A  if  and  only  if  len(s)  is  finite  and  there  is  a  run 
q  of  A  for  s  where  g/en^)  is  in  F,  i.e.  it  has  a  run  whose  last  state  is  a  final  state  of  A.  The  language 
accepted  by  A  is  denoted  C(A ). 

A  Buchi  automaton  A  is  a  tuple  (E,Q,6,  J,F),  where  E,  Q,  <5,  and  I  form  a  transition  table,  and 
R  C  Q  is  a  set  of  Buchi  recurrence  states.  An  accepting  run  of  A  on  the  string  s  G  Ew  is  a  sequence  q 
such  that  qj  is  in  R)  for  infinitely  many  j.  The  language  accepted  by  A ,  denoted  C{A ),  is  the  set  of  all 
strings  with  accepting  runs. 

Any  automaton  A  is  deterministic  if  its  underlying  transition  table  is.  The  notation  \A\  is  used  for 
the  size  of  A ,  i.e.  the  number  of  states  in  A. 

A  language  L  of  finite  strings  is  regular  if  there  is  some  regular  automaton  A  such  that  C(A)  =  L. 
The  class  of  languages  accepted  by  regular  automata  is  closed  under  union  and  intersection.  A  language 
of  infinite  strings  is  called  uj-regular  if  and  only  if  it  is  the  language  accepted  by  some  Buchi  automaton. 
The  class  of  w-regular  languages  is  also  closed  under  union  and  intersection.  However,  unlike  in  the 
case  of  regular  automata,  the  deterministic  Buchi  automata  accept  a  strict  subclass  of  the  ^-regular 
languages.  This  subclass  is  closed  under  intersection,  but  not  union. 

3  Review  of  Supervisory  Control  Theory 

3.1  Finite  Traces 

3.1.1  Supervisory  Control  Problem 

Ramadge  and  Wonham’s  theory  of  supervisory  control  [2,  18,  3]  uses  formal  languages  of  linear  traces, 
or  strings,  to  model  both  the  plant  and  its  specification.  Each  trace  represents  a  sequence  of  events  in  a 
possible  execution.  The  event  set  E  is  partitioned  into  controllable  events  Ec  and  uncontrollable  events 
Eu.  Intuitively  uncontrollable  events  are  always  enabled,  while  controllable  events  can  be  prevented 
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from  occurring  at  any  time. 

The  uncontrolled  plant  or  generator  is  modeled  as  a  language  L  of  finite  traces  over  E.  The  prefixes 
of  the  language  L  represent  all  possible  partial  executions  of  the  plant,  while  L  itself  is  the  set  of 
successfully  completed  traces. 

A  supervisor  controls  the  plant’s  executions  by  observing  the  events  of  the  plant  and  disabling 
possible  events  from  occurring  next.  Formally,  a  control  mask  7  is  any  subset  of  E  that  contains  E„. 
Applying  the  mask  7  means  that  every  event  in  7  is  enabled.  Let  T  denote  the  set  of  all  control  masks. 
Given  a  plant  L,  a  supervisor  /  is  a  function  /:  pr(L)  — ►  I\ 

The  plant’s  supervised  prefix  language  Lo ,  is  given  as 

i)  A  E  Lo, 

ii)  w.(T  E  Lo  if  w  E  L0,  <r  E  f(w)  and  w.a  E  pr(L). 

Its  supervised  language  is  Lj  =  Lo  fl  L,  i.e.  the  strings  of  the  plant  that  survive  under  supervision.  If 
Lo  =  pr{Lj),  then  /  is  a  non-blocking  supervisor  for  the  plant  L.  Intuitively  /  is  non-blocking  if  any 
partial  execution  allowed  by  /  can  be  extended  to  a  completed  execution.  The  standard  problem  to  be 
solved  is  given  as  the  supervisory  control  problem. 

Problem  3.1  —  Supervisory  Control  Problem  for  Finite  Traces 

Given  a  plant  L,  find  a  nonblocking  supervisor  f  such  that  Lf  C  E,  where  E  C  L  is  the  specification 
language  for  the  closed-loop  behavior.1 

3.1.2  Problem  Solution 

Ramadge  and  Wonham  [2]  introduced  the  notion  of  controllability  to  help  characterize  the  supervised 
sublanguages  of  the  plant.  A  language  I<  E  L  is  controllable  with  respect  to  L  and  E„  iff 

pr(K).Xunpr(L)Cpr(K). 

It  was  shown  ([2],  Proposition  5.1  and  Theorem  6.1)  that  there  is  a  supervisor  for  the  language  K  if 
and  only  if  K  is  L-closed  and  K  is  controllable  wrt.  L  and  Eu. 

Let  E  be  a  subset  of  E*.  Let  C*[L,  E„]( E)  be  the  class  of  controllable  sublanguages  of  U,  T*[L](E) 
the  class  of  L-closed  sublanguages  of  E  and  OF*  [L,  Eu](£l)  =  C*  [L,  Eu](i?) (XF*  [L](E)  their  intersection. 
The  supervisory  control  problem  has  a  solution  iff  this  class  contains  a  non-trivial  language. 

Theorem  3.1  ([2])  The  class  C«F*[L,  Et,](l?)  is  non-empty  and  closed  under  union  and  has  a  supremal 
element ,  denoted  sup  C!F*[L,  £„](£*).  □ 

Thus  the  control  problem  has  a  solution  if  and  only  if  sup  C!F*[Ly  Eu](2£)  is  not  the  empty  language 
([2],  Theorem  7.1).  This  supremal  language 

sup  CT* [L,  £„](£)  =  |J{r  :TCE,T  is  controllable  wrt.  L,  Eu  and  T  is  L-closed} 

1  In  this  paper  we  do  not  consider  a  minimally  required  behavior,  but  only  a  maximally  tolerable  behavior. 
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corresponds  to  the  least  restrictive  supervisor  and  can  be  expressed  as  the  greatest  fixpoint  of  a  fixpoint 
operator  derived  from  the  above  [18].  Suppose  the  plant  and  specification  languages  L  and  E  are 
regular  languages,  accepted  by  the  deterministic  finite-state  automata  Al  and  Ae  respectively.  Then 
solving  the  supervisory  control  problem  reduces  to  computing  sup  £„](£?),  and  has  complexity 

0{\Ae?.\Ap?). 

3.2  Infinite  Traces 

3.2.1  Supervisory  Control  Problem 

The  model  was  first  extended  by  Ramadge  to  infinite  traces  in  [14].  Subsequently,  Thistle  [16]  redefined 
controllability  for  infinite  strings  and  considerably  extended  Ramadge ’s  initial  results.  In  particular, 
Thistle  focuses  on  computational,  algorithmic  issues. 

Problem  3.2  -  Supervisory  Control  Problem  for  Infinite  Traces 

For  a  given  plant  S,  find  a  nonblocking  supervisor  f  such  that  Sj  C  ,4,  where  A  C  S  is  the  specification 
language  for  the  closed-loop  behavior . 

3.2.2  Problem  Solution 

It  was  shown  ([14])  that  there  is  a  supervisor  /  for  B  C  S  if  and  only  if  pr(B)  is  controllable  wrt.  pr(S) 
and  B  is  closed  relative  to  S. 

Let  [S,  Eti](A)  denote  the  class  of  sublanguages  B  of  A  such  that  pr(B)  is  controllable  wrt.  pr(S ) 
and  5V  Let  FW[S](A)  be  the  class  of  sublanguages  of  A  closed  relative  to  the  plant  S.  The  intersection 
of  the  two  classes  is  denoted  £U](A).  Thus  the  supervisory  control  problem  has  a  solution  if  and 

only  if  this  class  contains  a  non-empty  language.  Let  UC^S,  EU](A)  denote  the  language  obtained  by 
taking  arbitrary  unions  of  the  languages  of  £„](>!). 

Thistle  states  the  following  theorem. 

Theorem  3.2  ([16],  Theorem  5.9)  The  supervisory  control  problem  for  infinite  traces  with  plant  S 
and  specification  A  has  a  solution  if  and  only  ifUCJ^lS,  £U](A)  ^  0.  □ 

He  then  proceeds  to  show  how  U £U](A)  can  be  constructed  using  various  fixpoint  operators 
when  A  is  given  as  a  form  of  automaton  over  infinite  strings.  From  £u](A)  a  language  that 

is  both  [S,  Eu]-controllable  and  S-closed  can  be  derived.  This  language  allows  the  construction  of 
a  supervisor  that  solves  the  supervisory  control  problem  for  infinite  traces.  Applying  the  results  of 
Thistle  to  the  class  of  Biichi  automata  gives  the  following. 

Theorem  3.3  ([16],  Theorem  8.17)  The  supervisory  control  problem  for  infinite  traces  with  plant  S 
and  specification  A}  given  by  deterministic  Bucht  automata  As  and  Aa  respectively ,  can  be  solved  with 
complexity  0(|.4s|3.|.4J4|3).  □ 

However  the  class  Sti](A)  is  not  closed  under  arbitrary  unions,  and  so  £„](>!)  may 

not  itself  correspond  to  a  supervised  language.  Under  certain  circumstances,  however,  the  problem 
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admits  a  simpler  solution.  Ramadge  proves  that  although  the  class  CT^IS,  EU](A)  is  still  not  closed 
under  union  when  A  is  closed  relative  to  5,  its  supremal  element  does  lie  in  the  class. 

Theorem  3.4  ([14])  For  any  language  ACS  closed  relative  to  S,  the  class  C!F^[S,T,U](A)  has  a 
supremal  element,  denoted  sup  CFU[S,  EU](A).  Moreover  sup  CT^ [5,  Eu]( A)  =  [5,  EU](A).  □ 

Thus  given  a  specification  A  that  is  closed  relative  to  the  plant  S ,  the  supervisory  control  problem 
has  a  solution  if  and  only  if  supCJF^S,  EU](A)  is  non-empty.  Ramadge  did  not  give  an  explicit  cor¬ 
respondence  between  the  infinite  trace  supervisory  control  problem  and  a  finite  trace  counterpart.  In 
Appendix  B,  we  show  how  the  infinite  trace  problem  can  be  reduced  to  a  finite  trace  problem  when  A 
is  closed  relative  to  the  plant  S. 

Theorem  3.5  (Theorem  B.2  of  Appendix  B)  The  supervisory  control  problem  for  infinite  traces 
described  above  can  be  solved  with  complexity  0(|.As|2*|Aa|2)>  if  the  specification  A  is  closed  relative  to 
the  plant  language  S.  □ 

While  the  work  of  Thistle  is  more  general,  we  consider  the  special  class  of  problems  where  the 
specification  is  closed  relative  to  the  plant  to  be  of  importance.  For  example,  it  includes  all  instances 
of  closed  specifications,  z.e.  pr(A)°°  =  A. 

4  Timed  Traces 

Our  model  of  a  timed  discrete- event  process  is  a  set  of  timed  traces.  We  use  the  nonnegative  reals  IR+ 
as  our  domain  of  time.  Timed  traces  show  the  sequence  of  events  the  process  executes  together  with 
the  exact  times  at  which  they  occur.  The  traces  evolve  over  E  U  {c},  where  e  is  not  a  real  event,  but 
corresponds  to  nothing  happening. 

As  in  the  untimed  case,  we  distinguish  between  finite  timed  traces  and  infinite  timed  traces.  Finite 
timed  traces  record  the  events  that  have  occurred  over  a  finite  length  of  time.  Infinite  traces  indicate 
events  that  occur  over  an  unbounded  time  period,  and  are  used  to  model  non-terminating  processes. 

4.1  Finite  Timed  Traces 

Let  I  =  {0}  U  {[0 ,t]  |  t  G  IR+}  be  the  union  of  the  empty  interval  as  well  as  the  set  of  all  closed 
finite  time  intervals  which  start  at  0.  A  finite  timed  trace  is  any  total  function  v\Iv  — ►  SU{e}  with 
Iv  £  J  which  satisfies  the  following  finiteness  property:  the  set  {t  G  Iv  \  J'(t)  G  E}  is  finite.  This 
condition  asserts  that  there  cannot  be  an  infinite  number  of  real  events  (:.e.  from  E)  in  any  finite  time 
interval.  The  reason  for  enforcing  this  condition  is  that  we  want  to  model  discrete  processes  which  have 
some  unknown  upper  bound  on  the  frequency  of  events.  This  property  is  implied  by  the  notions  of 
non-Zenoness,  bounded  variability  and  bounded  control  found  in  [19].  Let  tu  denote  the  largest  time  in 
Iv.  A  timed  trace  v  records  all  events  that  have  occurred  up  to  time  t„.  Notice  also  that  two  events 
are  not  allowed  to  occur  simultaneously.  The  symbol  A  is  used  to  denote  the  empty  timed  trace  with 
domain  1\  —  0. 
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A  finite  trace  /t  is  a  prefix  of  1/  if  I„  C  I„  and  /i(t)  =  v{t)  for  all  t  in  A  timed  language  L  is  any 
set  of  timed  traces.  Its  set  of  prefixes  is  denoted  pr(L). 

If  the  event  a  G  E  U  {e}  occurs  at  time  t  we  denote  this  by  the  pair  (a,t).  The  concatenation  of 
a  trace  v  with  (<r,t),  denoted  v'  =  v.{a,t),  is  only  defined  when  t  >  tv.  In  this  case,  =  [0,<]  and 
v'\  Ivi  — ►  E  U  {e}  is  given  by: 


1v(t')  lit' ei„, 

(T  if  t'  =  t, 

e  otherwise. 

A  trace  v  can  equivalently  be  represented  as  a  finite  sequence  in  (E  U  {e}  x  IR+)* 


v  ~  (ao,to),  {<ri,h),  •  •  • ,  (o-j.fj), . . . ,  (<rn,tn). 

For  0  <  i  <  n,  U  <  t,+i  and  a  pair  (o-.-.t,)  appears  in  the  sequence  if  and  only  if  the  event  <7,  =  and 
<Ti  E  S.  The  last  pair  of  the  sequence  always  appears  as  ( <rn,tn )  =  (i /(*„),<„).  Note  that  the  sequence 
lists  all  real  events  from  E  in  the  order  of  their  occurrence.  The  sequence  is  terminated  by  either  a  real 
event  or  (e,tv),  depending  on  whether  i /(*„)  maps  to  a  real  event  or  e.  The  reason  for  recording  this 
last  event-pair  in  the  sequence  is  to  indicate  the  length  of  the  time  domain 


4.2  Infinite  Timed  Traces 

An  infinite  timed  trace  is  modeled  as  a  total  function  v\ IR+  —  EU{<r},  satisfying  the  finiteness  property: 
for  every  I  E  2,  the  set  {f  €  I  \  v(t)  €  E}  is  finite.  Notice  that  an  infinite  timed  trace  may  include 
either  finitely  many  or  infinitely  many  events  from  E.  A  timed  language  S  of  infinite  traces  is  any  set 
of  infinite  timed  traces. 

Because  of  the  finiteness  property,  an  infinite  timed  trace  may  include  only  a  countable  number  of 
real  events  (i.e.  from  E).  Thus  it  may  also  be  represented  by  a  sequence  from  (E  U  {e}  x  IR+)°°,  i.e., 

v-  (^o,*o>><^i.<i>> •  ••>(*,.*.),••• 

where  the  pair  (<r*,  t»)  appears  in  the  sequence  if  i /(<,•)  =  <r,-  ^  e.  Furthermore  t,  <  tj+1  for  i  >  0.  The 
time  domain  of  any  infinite  timed  trace  is  clearly  IR+,  and  so  we  need  not,  and  indeed  cannot,  follow  the 
case  of  finite  traces  by  recording  the  “last”  event.  Observe  that  this  sequence  may  be  finite,  in  which 
case  a  finite  number  of  events  from  E  occur,  followed  thereafter  by  nothing  happening. 

A  finite  trace  fx  is  a  prefix  of  u  if  =  v{t)  for  all  t  £  .  The  set  of  prefixes  of  a  language  of  infinite 

traces  S  is  denoted  pr(S)  and  is  a  set  of  finite  timed  traces.  The  limit  of  a  set  of  finite  timed  traces  L 
is  denoted  L  and  is  defined  to  be  the  set  of  all  infinite  timed  traces  with  infinitely  many  prefixes  in 
L.  Notice  that  L°°  is  not  the  same  language  as  that  obtained  by  taking  the  untimed  limit  of  sequences 
representing  the  traces  in  L? 

SThis  is  because  Z»°°  may  include  iniiiute  traces  with  only  finitely  many  events  in  S. 
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5  Supervisory  Control  for  Finite  Timed  Traces 

Most  of  the  standard  results  from  supervisory  control  theory  also  hold  for  timed  discrete  event  systems 
modeled  by  languages  of  timed  traces. 

5.1  Supervisory  Control  Problem 

The  uncontrolled  plant  or  generator  is  modeled  as  a  language  of  finite  timed  traces.  For  simplicity  it 
will  also  be  assumed  that  the  partial  executions  of  the  plant  are  precisely  the  prefixes  of  L. 

As  in  the  untimed  case,  the  event  set  E  is  partitioned  into  controllable  events  Ec  and  uncontrollable 
events  Eu,  and  a  control  mask  7  is  any  subset  of  E  such  that  Eu  C  7.  Applying  the  mask  7  at  time  t 
means  that  every  event  in  7  is  enabled  at  time  t.  The  plant  can  freely  choose  to  execute  any  event  in 
7.  Let  T  denote  the  set  of  all  control  masks  7. 

Given  a  plant  L  of  finite  timed  traces,  a  (timed)  supervisor  /  for  L  is  a  partial  function 

/  :  pr(L )  x  IR+  — ►  T. 

The  supervisor  function  is  only  defined  over  ]f„,oo),  where  tv  is  the  time  of  u  s  last  event. 

The  language  L0  of  prefixes  generated  by  L  under  f’s  supervision  is  given  by: 

i)  A  £  Lo; 

ii)  v.(a,t)  £  L0  if  v  €  L0,  a  G  f(u,t)  U  {c}  and  u.{(T,t)  €  pr(L). 

Observe  that  the  supervisor  cannot  prevent  the  passing  of  time  (as  represented  by  the  e  event),  and 
thus  cannot  directly  force  any  event  to  occur.  It  may  only  enable  or  disable  events.  The  supervised 
language  of  the  closed-loop  system  is  Lj  =  L0  D  L.  Intuitively,  Lj  is  the  sublanguage  of  L  that  survives 
under  supervision.  The  supervisor  /  is  nonblocking  if  pr(Lj)  =  Lq. 

The  timed  version  of  the  supervisory  control  problem  is  stated  as  follows. 

Problem  5.1  -  Supervisory  Control  Problem  for  Finite  Timed  Traces 

Given  a  plant  L,  find  a  nonblocking  supervisor  f  such  that  the  closed-loop  behavior  satisfies  Lj  C  E, 
where  E  C  L  is  the  specification  for  the  closed-loop  behavior. 

5.2  Problem  Solution 

We  extend  the  notions  of  controllability  and  supremal  controllable  sublanguage  of  a  given  specification 
language  [2,  18,  14]  to  timed  languages. 

Definition  5.1  Let  K  and  L  be  languages  of  timed  traces  over  E  such  that  K  C  L.  K  is  controllable 
with  respect  to  L  and  E„  if 

pr(A).(Eu  U  {e}  x  1R+)  n  pr(L)  C  pr(/f). 

Following  the  procedure  in  [2],  we  first  establish  necessary  and  sufficient  conditions  for  supervisor 
existence.  Algorithms  to  perform  the  actual  synthesis  are  dependent  on  the  representation  of  the  timed 
languages,  and  are  delayed  to  a  later  section. 
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Theorem  5.1  Let  K  and  L  be  languages  of  finite  timed  traces  over  E  such  that  I<  C  L.  There  is  a 
non-blocking  supervisor  f  such  that  Lj  =  K  if  and  only  if 

i)  K  is  controllable  wrt.  L, 

ii)  K  is  L- closed. 

Proof: 

(only  if)  Let  /  be  a  non-blocking  supervisor  such  that  Lj  =  K. 

Since  /  is  non-blocking,  i.e.  pr(Lj)  =  jCo,  it  follows  that 

pr(Lf)  n  L  =  Lo  n  L  =  Lf 


which  establishes  that  K  is  L-closed. 

For  cr  E  Eu  U  { e },  any  t  E  IR+ 

V  6  pr(Lf),  €  pr(L) 

=>•  v.(<r}t)  E  Lo  (supervisor  definition) 

=>  v.(c,t)  E  pr(Lj)  (/  is  non-blocking) 


and  thus  K  is  controllable  wrt.  L. 

(if)  Suppose  that  K  is  controllable  wrt.  L  and  that  K  is  L- closed.  We  show  by  construction  that 
there  is  a  supervisor  for  K .  Let  /  be  defined  as  follows.  For  v  E  pr(L), 


<t  €  Su 

<  or 

<r  E  Dc  and  E  pr(K) 


As  K  is  controllable  wrt.  pr(L),  the  language  of  prefixes  generated  by  the  plant  under  /’ s  supervision 
is  Lo  =  pr(K).  The  supervised  language  is  Lj  =  Lo  H  L  =  pr(i£)  H  L  and  by  L-closedness  of  K  this 
implies  that  Lf  =  AT.  The  supervisor  is  non-blocking.  □ 


Let  C^fL,  Eti](AT)  be  the  class  of  all  controllable  sublanguages  of  K ,  i.e. 

(^[L,  Eu](tf)  =  {T  C  K  |  T  is  controllable  wrt.  L}. 

Analogously,  let  :F*’*[L](AT)  be  the  class  of  all  L-closed  sublanguages  of  K ,  i.e. 

=  {T  C  FC  |  T  is  L-closed}. 

The  class  of  languages  which  are  both  controllable  wrt.  pr(L)  and  L-closed  is  C^Ft,*[L1  EU](AT)  = 

c*+lLM(K)nF+[L]{K). 

Theorem  5.2  Let  K  C  L. 

i^l  C*’*[L,  Eu](Jf)  is  non-empty  and  closed  under  union . 
ii)  JF*’*[L](LT)  is  non-empty  and  closed  under  union. 
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Hi J  There  is  a  supremal  controllable  (wri.  pr(L)  and  L-closed  sublanguage  of  K.  It  is  denoted 

sup  CTl^[L,i:u}{K). 

Proof: 

i)  Let  0  be  the  empty  language.  Clearly  0  £  CX'*(K ),  so  CX'*(K)  is  non-empty.  Let  Kx  and  I<2  be 
two  controllable  languages  in  C* ’*(#)*  It  follows  from  the  definition  of  prefix-closure  that 

pr(Kx  U  K2)  —  pr(Ki)  U  pr(K2), 

It  follows  that 

pr(K\  U  K2)(LU  U  {c}  x  IR+)  0  L  =  [pr(Kx)  U  pr(K2)](Eu  U  {e}  x  IR+)  0  L 

=  [pr(Kx){ Eu  U  {e}  x  IR+)  U  pr(K2)(Eu  U  {e}  x  IR+)]  H  L 
=  [pr^xXEu  U  {e}  x  IR+)  (U]U  [pr(K2)(Eu  U  {e}  x  IR+)  H  L] 
C  pr(Ki)  U  pr(K2)  =  pr(K\  U  K2) 

and  so  Kx  U  K2  €  &'*(!().  Clearly  this  also  holds  for  arbitrary  unions. 

ii)  Again  it  follows  from  the  definition  of  prefix-closure  that 

pr(KxU  K2)  C\  L  =  \pr(Kx)U  pr(K2)]D  L 

=  \pr(Kx)nL]V[pr(K2)nL\ 

=  KXUK2 

This  establishes  L-closedness  of  Kx  U  K2.  Clearly  it  also  holds  for  arbitrary  unions. 

iii)  Follows  directly  from  (i)  and  (ii). 

□ 

Theorem  5.3  The  finite  timed  trace  supervisory  control  problem  for  the  plant  L  and  the  specification 
language  E  has  a  non-trivial  solution  if  and  only  if 

sup  C^*[L,E«](E)#0. 

Proof:  This  follows  directly  from  Theorems  5.1  and  5.2.  D 

6  Supervisory  Control  for  Infinite  Timed  Traces 

6.1  Supervisory  Control  Problem 

The  plant  is  modeled  by  a  language  of  infinite  timed  traces  5.  It  is  assumed  that  all  finite  executions  of 
the  plant  are  prefixes  of  S.  The  definition  of  a  supervisor  f  for  S  is  the  same  as  for  finite  timed  traces, 
i.e.  a  function  /  :  pr(S)  x  IR+  — ►  T.  As  before  /  is  defined  only  for  finite  strings,  and  the  set  of  prefixes 
generated  by  the  plant  under  /’s  supervision  is  denoted  L0.  The  supervised  language  Sj  is  defined  as 
pr(Lo)°°  H  S.  The  supervisor  /  is  nonblocking  for  S  if  pr(Sj)  =  Lo¬ 
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Problem  6.1  -  Supervisory  Control  Problem  for  Infinite  Timed  Traces 

Given  a  plant  S,  find  a  non-blocking  supervisor  f  such  that  the  closed-loop  behavior  satisfies  5/  C  A, 

where  A  C  S  is  the  specification  language  for  the  closed-loop  behavior . 

6.2  Problem  Solution 

The  following  theorems  are  the  timed  counterparts  of  Propositions  3.1  and  3.2  given  by  Ramadge  [14]. 
Theorem  6.1  establishes  necessary  and  sufficient  conditions  for  supervisor  existence.  The  proof  is  de¬ 
ferred  to  Appendix  A.  It  is  very  similar  to  that  given  in  [14]. 

Theorem  6.1  If  B  C  S  is  nonempty,  then  there  is  a  nonblocking  supervisor  f  for  S  such  that  Sf  =  B 
if  and  only  if 

i)  pr(5)  is  controllable  wrt.  pr(S), 

ii)  B  is  closed  relative  to  S. 

Proof:  See  Appendix  A.  □ 

Let  Ct,u,[5,  Stl](A)  denote  the  class  of  sublanguages  of  A  such  that  their  prefix-sets  are  controllable 
wrt.  pr(S)  and  i.e. 

C*’*[S,  £ti](A)  =  {T  C  A  |  pr(T)  is  controllable  wrt.  pr(S)  and  Eu}. 

Let  Tt'u)[S\( A )  be  the  class  of  sublanguages  of  A  that  are  closed  relative  to  5,  i.e. 

J*t,u;[S](A)  =  {T  C  A  |  T  is  closed  relative  to  S}. 

Let  Cft,w[Sy  XJU](A)  =  UU](A)  n^»w[5](A)  be  the  intersection  of  these  two  classes.  Finally  let 

U C!FtiW[S,  Eti](A)  denote  the  union  of  all  languages  in  the  class  C!FtlW[Sy  EU](A). 

Theorem  6.2  The  infinite  timed  trace  supervisory  control  problem  for  the  plant  S  and  the  specification 
language  A  has  a  non-trivial  solution  if  and  only  if 

ucP’u[s,i:u](A)?0 

Proof:  Immediate  from  Theorem  6.1.  □ 

Theorem  6.3  Let  ACS. 

i)  The  class  Ct,u>[5,  EU](A)  is  non-empty  and  closed  under  arbitrary  union, 
ii)  The  class  -F*,W[S](A)  is  non-empty  and  closed  under  finite  union. 

Hi)  If  A  is  closed  relative  to  S ,  then  the  class  CTiyW[S,  E„](A)  has  a  supremal  element,  denoted 
sup C^’W[S,E„](A).  Moreover,  supC^^[5,Eu](A)  =  UC^*W[5,EU](A). 
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Proof:  See  Appendix  A. 


□ 

Note  that  the  class  E„](A)  is  not  closed  under  countable  union  in  general.  However,  for  the 

special  case,  where  A  is  closed  relative  to  the  plant  S,  the  class  CTtjU}[S,  EU](A)  has  a  supremal  element. 

Theorem  6.4  The  infinite  timed  trace  supervisory  control  problem  for  the  plant  S  and  the  specification 
language  A,  where  A  is  closed  relative  to  S  has  a  non-trivial  solution  if  and  only  if 

sup  CTtiW[S^  EU](A)  ^  0 

Proof:  Follows  directly  from  Theorems  6.1  and  6.3.  D 

As  in  the  case  of  untimed  infinite  traces,  the  supremal  element  may  be  characterized  in  terms  of  the 
supremal  element  of  a  corresponding  class  of  finite  trace  languages  if  A  is  closed  relative  to  the  plant  S . 
This  is  shown  in  Appendix  B. 

7  Timed  Automata 

7.1  Timed  Regular  Automata  and  Timed  Biichi  Automata 

We  use  timed  automata  to  represent  the  timed  behaviors  of  the  plant  and  its  specification.  These 
automata  are  standard  finite-state  automata  with  real-time  constraints  on  the  delays  between  events 
[8,  9,  12].  Each  timed  automaton  has  a  set  of  clocks  which  may  only  be  reset  when  transitions  are  made. 
The  value  of  each  clock  records  the  time  that  has  passed  since  it  was  last  reset.  A  transition  can  only 
occur  when  the  current  values  of  the  clocks  satisfy  its  timing  constraint.  Thus  the  constraints  express 
conditions  on  the  delays  between  events. 

The  underlying  structure  of  any  timed  automaton  is  a  timed  transition  table.  A  timed  transition 
table  is  a  tuple  T  =  (E,Q,9o,C',tf).  It  has  a  finite  alphabet  E  and  a  finite  set  of  states  Q,  of  which  q0 
is  the  initial  state.  The  set  C  is  a  finite  set  of  clocks,  named  x\t  x-i ,  . . xjy.  The  transition  table  T 
has  a  set  of  transitions  {  C  Q  x  Q  x  E  x  2C  x  £n,  where  En  is  the  set  of  enabling  conditions,  namely 
the  boolean  closure  of  the  atomic  conditions  x  ~  c  where  x  is  a  clock,  c  is  a  constant,  and  ~  is  one  of 
{<,<,=,>,>}.  Clocks  are  only  ever  compared  to  integer  values.  If,  however,  rational  constants  are 
required  it  is  straightforward  to  transform  a  language  into  an  equivalent  one  with  integer  constants:  all 
time  constants  are  multiplied  by  the  least  common  multiple  of  the  rational  denominators.  Note  that 
no  addition  or  comparison  between  clock  values  is  permitted.  If  (qi,q2J<r1ny  E)  is  in  6  and  the  clocks 
satisfy  E,  then  A  may  move  from  state  qi  to  state  q 2  on  input  a  at  the  same  time  as  resetting  to  zero 
the  clocks  in  ir.  The  clocks  all  have  value  0  at  the  start  of  a  run. 

A  time  assignment  is  a  function  v  :  C  — ►  IR+  assigning  a  nonnegative  real  value  to  every  clock. 
Constants  may  be  added  to  assignments,  where  (v  +  c)(xj)  =  +  c.  [tt  » — ►  t]v  is  the  time  assignment 

that  assigns  time  t  to  every  clock  in  7r  C  C  but  is  otherwise  the  same  as  v .  The  time  assignment  0„ 
maps  every  clock  to  0.  We  use  the  symbol  V  to  denote  the  set  of  time  assignments. 
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A  run  of  T  over  the  timed  trace  v  =  {0*0,10),  (0*1,  *i), . . .  G  ((£U{e})  x  IR+)00  is  a  sequence  of  triples 
p  =  (90,  vo,  ^o),  {?i,  t>i,«i),  ...6(QxVx  IR+)00  that  satisfies: 

i)  ( length  consistency ):  len(p)  =  len(a)  -f  1, 

ii)  (occurrence  rimes):  u,-+i  —  for  0  <  i  <  len(a ), 

iii)  (ririria/riy):  po  =  {30, 0V,  0), 

iv)  for  all  i  such  that  0  <  i  <  len(a),  either 

(a)  ( event  occurs ):  there  is  a  tuple  (3;,  g*+i, ov,  ti*,-,  2?j)  in  6  such  that 

i.  —  U{  satisfies  Ei,  and 

ii.  vi+ 1  =  [tt,-  •  *  0](u,-  +  «i+i  -  Uj),  or 

(b)  (rime  passes  at  end  oft/): 

i.  i  =  /en(cr)  —  1, 

ii.  <Ti  =  e, 

iii.  gt  =  gi+i,  and 

iv.  vi+i  =  Vi- h  u,*+i  - 

From  the  timed  transition  table,  we  construct  two  sorts  of  timed  automata.  A  timed  automaton  is 
a  tuple  A  =  (E,  Q ,  90,  C,  6,  F),  where  E,  Q ,  go,  C  and  S  form  a  transition  table  as  described  above.  The 
set  F  C  Q  defines  the  final  accepting  states.  Depending  on  the  acceptance  condition,  these  are  either 
acceptors  of  finite  traces,  or  acceptors  of  infinite  traces. 

Definition  7.1  A  timed  regular  automaton  (TRA)  A  is  a  timed  automaton  with  the  following  accep¬ 
tance  condition:  A  accepts  the  timed  trace  v  if  v  is  finite,  v(tu)  ^  e,  and  v  and  has  a  finite  run  p  of  A 
with  its  last  state  in  F,  i.e.  3ien(p)-i  ^ 

Definition  7.2  A  timed  Biichi  automaton  (TBA)  A  is  a  timed  automaton  with  the  following  acceptance 
condition:  A  accepts  v  if  len(y)  is  infinite  and  v  has  a  run  of  A  in  which  some  state  q  £  F  is  repeated 
infinitely  often. 

In  either  case,  we  use  C{A)  to  denote  the  language  accepted  by  A.  The  language  £(A)  is  a  timed 
language  of  finite  or  infinite  traces  that  do  not  end  in  e. 

Example  7.1  The  TRA  with  two  timers  x  and  y  in  Figure  1  accepts  all  traces  where  requests  are 
repeatedly  made  within  5  seconds  of  each  other.  A  request  may  be  either  refused  or  granted.  However, 
if  it  is  not  refused  within  2  seconds,  it  will  be  granted  within  3  seconds  (of  the  time  of  the  original 
request).  In  addition  at  least  1  second  must  pass  before  the  next  request. 

More  precisely, 

C{A)  =  {(00,  to),  (0*1,  *i), . . .  |  for  i  >  0,  <r2i  =  request ,  <t2,+i  €  { refuse ,  grant}, 

*21+2  <  hi  +  5,  t2j+2  >  *2i+l  +  1, 
if  0*21+1  =  refuse  then  t2f*+i  <  t2,-  +  2 

and  t2*+i  >  t2,*-i  4-  3,  where  =  0 
and  if  0*2»+i  =  grant  then  t2>*+i  <  t2l-  +  3} 
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A  timed  transition  table  is  deterministic  if  there  is  at  most  one  run  of  the  table  for  every  timed 
trace.  It  is  complete  if  for  every  state  and  every  event,  there  is  at  least  one  transition  enabled  at  any 
time.  Note  that  if  a  timed  transition  table  is  both  complete  and  deterministic  then  it  has  exactly  one 
run  for  every  timed  trace.  A  timed  automaton  is  deterministic  (complete)  when  its  timed  transition 
table  is. 

Given  a  timed  automaton  A  =  (E,  Q,  go,  C,  6,  F),  we  define  its  completion  comp(A)  to  be  the  au¬ 
tomaton  (E,Q  U  {gdead})5o,C,J  6',  F).  It  differs  from  A  in  that  its  states  include  the  additional  state 
qdead ,  and  its  transition  function  S'  includes  the  additional  transitions  {(g,  Qdeady  o',  0,  E)}  where  E  is 
the  negation  of  all  enabling  conditions  associated  with  transitions  of  A  out  of  state  q  on  symbol  <r. 
Notice  that  when  A  is  deterministic,  then  so  is  comp(A). 

7.2  Concurrent  Components 

We  now  define  the  product  of  two  automata.  Let  A%  =  (E,Qf*,  g,o,  F,*)  for  i  =  1,2  be  two  timed 
regular  automata  over  the  same  alphabet  E.  We  assume  the  clocks  sets  C\  and  C2  are  disjoint.  Their 
product  A\  x  A2  is  the  timed  regular  automaton  A  =  (E,  Q,  go,  C,  6 ,  F) .  Its  states  are  Q  =  Qi  x  Q2,  with 
initial  state  g0  is  (gio,  g2o)-  Its  clock  set  is  C  =  C1UC2.  The  transitions  of  A  are  those  transitions  that  are 
enabled  in  both  Ai  and  A2 ,  i.e.  ({gi,  g2),  <?,  (g'i,  g^),  ,E)  £  6  if  and  only  if  there  exist  7Ti  €  2Cl ,  7r2  G  2C2, 
Ei  G  2£ni  and  £2  €  2jE7na  such  that  (gi,  q[,  <r,  iri,  G  Si,  (?2,  ?2>  ^  ^2,  F2)  G  <$2,  ? r  =  tti  U  7t2,  and 
£*  =  £1  A  £*2.  The  final  states  are  F  =  Fi  x^. 

Theorem  7.1 

i)  The  class  of  languages  accepted  by  timed  regular  automata  are  closed  under  intersection. 

ii)  The  class  of  timed  languages  accepted  by  timed  Buchi  automata  is  closed  under  intersection. 
Proof: 

i)  It  is  not  hard  to  see  that  for  two  TRAs  Ax  and  ^42,  C(A\  x  A2)  =  C(Ai)  fl  £(^2)* 

ii)  This  result  is  proven  in  [8]. 

□ 


The  corresponding  result  for  deterministic  automata  follows  easily. 

Corollary  7.1  The  languages  of  timed  deterministic  (regular  and  Buchi)  automata  are  closed  under 
intersection . 

Proof:  In  the  finite  regular  case  this  can  be  seen  from  the  construction  of  the  automaton  in  the  proof 
of  Theorem  7.1.  Analogous  for  Buchi  automata.  □ 

As  a  consequence  of  this  result,  it  is  possible  to  construct  global  models  of  the  plant  by  composing 
automata  for  their  components.  In  addition,  a  specification  can  be  formed  as  the  conjunction  of  two  or 
more  separate  conditions. 
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8  Untiming  Timed  Automata 


In  this  section  we  show  how  to  convert  a  finite  timed  automaton  into  a  finite  untimed  automaton, 
retaining  sufficient  information  for  analyzing  such  properties  as  controllability  and  closedness.  In  the 
next  section  we  use  this  untiming  construction  to  reduce  the  timed  supervisory  control  problem  to  the 
familiar  untimed  supervisory  problem  reviewed  in  Section  3. 

The  untiming  described  here  is  essentially  the  same  as  that  of  Alur  and  Dill  [8]  and  Cerans  [20] .  The 
untimed  automaton  mimics  the  timed  automaton.  Its  states  have  two  components:  one  to  keep  track 
of  the  state  of  the  timed  automaton,  and  the  other  to  record  the  equivalence  class  of  the  current  clock 
valuations. 

We  first  describe  how  the  clock  valuations  are  partitioned  into  equivalence  classes. 

8.1  Partitioning  Clock  Valuations 

To  determine  the  possible  futures  of  a  timed  execution,  it  is  sufficient  to  know  the  current  state  of 
the  automaton’s  transition  table  and  the  current  clock  values,  without  necessarily  having  to  know  the 
exact  times  at  which  all  previous  events  have  occurred.  This  information  is  contained  in  the  notion  of 
a  timed-state.  A  timed-state  is  a  pair  (g,  v)  E  Q  x  V. 

A  timed  transition  table  could  be  transformed  into  an  untimed  transition  table  with  a  state  for 
every  timed-state.  It  has  transitions  corresponding  to  events  in  the  original  timed  automaton,  and 
special  transitions  denoting  the  passing  of  time.  There  is  a  very  natural  relationship  between  the  runs 
of  this  untimed  automaton  and  the  original  timed  automaton.  However  this  automaton  is  not  suitable 
for  solving  an  untimed  supervisory  control  problem,  because  it  clearly  has  uncountably  many  states 
even  though  the  original  timed  automaton  is  finite.  The  synthesis  techniques  described  above  require 
languages  represented  by  finite-state  automata. 

Fortunately,  it  is  possible  to  aggregate  the  timed-states  of  any  finite  timed  graph  into  a  finite  number 
of  equivalence  classes  without  the  loss  of  relevant  information.  In  this  subsection  we  describe  this 
partitioning  [8].  Later  we  define  an  untiming  mapping  from  timed  traces  to  untimed  traces  and  show 
how  to  construct  an  automaton  that  accepts  the  untimed  language  of  a  timed  automaton. 

Each  equivalence  class  of  states  must  store  enough  information  to  decide  which  sequences  of  states 
are  possible  futures.  To  decide  which  events  are  immediately  enabled  at  a  given  state,  it  is  sufficient  to 
know  the  integral  parts  of  the  clock  values.  The  ordering  of  the  fractional  parts  of  each  clock  is  needed 
to  determine  which  clock  will  next  increment  its  integral  value.  Furthermore  it  is  not  necessary  to  keep 
track  of  the  exact  value  of  clock  x  once  it  has  exceeded  cr,  the  largest  constant  it  is  ever  compared  to: 
every  enabling  condition  on  x  can  be  decided  given  the  information  that  its  value  is  greater  than  cx. 
This  partitioning  is  now  defined  formally. 

We  assume  that  every  clock  appears  in  some  enabling  condition.  For  any  r  E  IR+,  let  [r\  denote  the 
integral  part  of  r  and  fract(r)  the  fractional  part,  i.e.  fract (r)  =  r—  |rj .  We  first  define  the  equivalence 
relation  ^  on  valuations  as  v  =  vf  if  and  only  if 

i)  Vz  E  C,  if  u(ar)  <  cx  or  vf(x)  <  cx  then  |v(*)J  =  IVOOJ 
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ii)  Var,  y  eC,  if  v(x)  <  cx  and  i/(y)  <  cy,  then 

(a)  fract(v(x))  =  fract(y(y ))  iff  fract(v'(x))  =  fractty^y)) 

(b)  fract(v(x))  <  fract(v(y))  iff  fract(v'(x))  <  fract(v'(y)) 

Notice  that  if  both  v  and  vf  assign  to  each  clock  x  a  value  greater  cx,  then  they  are  equivalent  under 
=.  Furthermore  we  call  this  special  equivalence  class  v>. 

Clearly  for  a  finite  automaton  A ,  the  relation  =  has  a  finite  number  of  equivalence  classes,  which 
we  call  regions.  Let  regA(v)  be  the  equivalence  class  of  =.4  containing  v .  We  drop  the  subscripts  if  the 
meaning  is  clear.  Let  Regs  (A)  denote  the  set  of  all  of  A’s  regions. 

The  successor  function  succ  maps  every  region  to  a  unique  region.  The  successor  of  v>  is  itself. 
When  reg1  ^  v>,  succ{regx)  =  reg2  where  for  all  v  E  regx  there  exists  a  t  E  IR+  such  that  v  +  i  €  reg2 
and  for  all  0  <  tf  <  t,  v  -f  tf  €  regx  U  reg2 .  Notice  that  every  region  has  exactly  one  successor.  The 
descendant  operator  desc  is  the  reflexive,  transitive  closure  of  the  successor  function. 

8.2  Untimed  Traces 

For  each  timed  trace,  we  now  define  its  untimed  counterpart  with  respect  to  a  timed  automaton.  The 
time  at  which  events  occur  is  explicit  in  timed  traces.  Untimed  traces  have  no  times  associated  with 
them.  To  capture  this  information  with  untimed  traces,  we  introduce  a  new  symbol  r  that  denotes 
the  “significant”  passing  of  time.  Intuitively,  a  significant  amount  of  time  has  passed  when  the  clock 
valuations  shift  from  one  region  to  the  next.  By  counting  the  number  of  regions  passed  we  can  determine 
which  region  the  clock  valuation  currently  lies  in. 

We  now  formally  define  the  correspondence  between  timed  traces  and  untimed  traces.  The  untiming 
depends  on  the  transition  structure  of  the  automaton.  For  simplicity  we  work  only  with  deterministic 
timed  automata,  but  the  definitions  and  results  generalize  naturally  for  non-deterministic  automata. 

Let  v\  and  V2  be  valuations  such  that  v2  =  v\  + 1  for  some  t  >  0.  Then  the  region  reg2  =  reg(v2) 
is  a  descendant  of  regx  =  reg(v  1).  We  define  a  partial  function  representing  the  number  of  regions 
between  reg1  and  reg2 ,  where  reg2  is  a  descendant  of  regl9  i.e.  reg2  E  desc(re^1).  If  regx  =  reg2 ,  then 
nr(v  1,^2)  =  0.  Otherwise  nr(vi,  v2)  is  defined  to  be  the  number  one  more  than  the  number  of  successive 
regions  between,  and  not  including,  reg x  and  reg2. 

Let  1/  be  a  finite  timed  trace  with  a  run  on  a  deterministic  TRA  A.  Because  A  is  deterministic  it 
has  a  unique  run  p  for  v.  The  untimed  trace  untime v)  is  a  sequence  over  the  augmented  alphabet 
E  U  {r}  obtained  by  inserting  a  number  of  r  events  between  the  non-e  events  of  cr.3  Each  r  denotes  the 
passing  of  time  causing  clock  valuations  to  move  from  one  equivalence  class  to  the  next.  To  be  precise, 
the  sequence  contains  all  non-e  events  of  v  in  their  order  of  occurrence.  There  are  nr(0v,  vi)  r  events 
added  as  a  prefix  before  (Tq.  In  addition,  there  are  nr(v,*,  V{  4-  («*+ 1  —  Wj))  events  labeled  r  inserted 
between  crt*  and  cri+1  for  0  <  i  <  len(<r ).  If  the  final  event  of  v  is  e,  i.e.  o’/en(<7)_1  =  then  untime(u) 
may  end  in  a  sequence  of  r  events. 

3 This  uniime  operator  is  not  the  same  as  that  found  in  [8,  12].  Our  operator  is  necessarily  more  complex  in  order  to 
enable  a  timed  language  to  be  reconstructed  after  it  has  been  untimed. 
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We  now  also  define  its  inverse,  a  timing  operation.  Given  a  finite  untimed  sequence  w  €  (EU{r})*, 
we  define  timeA(w)  to  be  the  set  of  all  traces  v  for  which  untimeA(u)  =  w. 

Notice  that  both  the  uniime A  and  time  a  operators  depend  critically  on  the  transition  table  of  A. 
If  no  confusion  arises,  we  shall  omit  the  subscript.  The  time  and  untime  operators  are  extended  in 
a  straightforward  way  to  languages  by  their  application  to  each  element  of  the  language.  Also  the 
operators  are  easily  defined  for  infinite  strings  and  TBA’s. 

Example  8.1  Consider  the  timed  trace  v=  (request,  1.1),  (refuse,  2.0),  (request,  3.5),  {grant  ,4  A).  It  is 
accepted  by  the  automaton  of  Figure  1.  See  Figure  2  for  an  illustration  of  how  untime( v)  is  derived.  Its 
clock  valuations  immediately  before  and  after  each  event  are  {x  =  1.1,  y  =  1.1}  and  { x  =  0.0,  y  =  1.1} 
for  (request,  1.1),  {x  =  0.9, y  =  2.0}  and  {x  =  0.9,  y  =  0.0}  for  (refuse,  2.0),  {x  =  2.4,  y  =  1.5}  and 
{x  =  0.0, y  =  1.5}  for  (request, 3. 5),  and  {x  =  0.7, y  =  2.2}  and  {x  =  0.7, y  =  0.0}  for  (grant, 4.2). 
The  trace  untime A(v)  is  r,  r,  t,  request,  r,  t,  refuse,  r,  r,  r,  r,  t,  t,  t,  request,  r,  r,  r,  grant.  For  instance  the 
first  3  r  events  correspond  to  moving  between  the  equivalence  classes  for  the  valuations  {x  =  0.0,  y  = 
0.0},  {x  =  0.1,  y  =  0.1},  {x  =  1.0, y  =  1.0},  and  {x  =  1.1,  y  =  1.1}.  a 

8.3  Properties  of  Timed  and  Untimed  Traces 

In  this  section  we  use  V*  and  W *  to  denote  timed  languages  of  finite  or  infinite  traces,  and  Vut  and 
Wut  to  denote  untimed  languages  of  finite  or  infinite  strings.  We  show  a  number  of  basic  properties  of 
the  uniime  and  time  operators. 

Proposition  8.1  Let  w  be  an  untimed  trace  from  (L  U  {r})*.  If  the  timed  automaton  A  accepts  any 
timed  trace  in  time^tu)  then  A  accepts  every  timed  trace  in  time,4 (w). 

Proof:  Suppose  A  accepts  the  timed  trace  and  that  untime(y)  =  w.  As  usual,  let  p  be  an  accepting 
run  for  v>  where  pi  =  (g*,  v,*,  «<).  Assume  that  v '  is  also  in  time^i w)-  We  will  construct  an  accepting 
run  p '  of  A  for  i/.  The  state  component  of  />'  will  be  the  same  as  for  p. 

The  construction  proceeds  in  steps  for  every  element  of  <x.  Initially  we  set  po  =  p'0.  By  the  definition 
for  a  run  of  A,  at  time  tii,  the  valuation  Uo  +  (ui—  «o)  satisfies  E  for  some  transition  (50,91,^0,  n,  E)  €  6, 
where  6  is  the  next  state  relation  of  *4.  After  resetting  the  clocks  in  the  resulting  valuation  is  vx. 
Consider  the  regions  passed  as  time  progresses  from  «o  to  ux.  Because  it0  =  uf0  =  0,  untimely)  = 
untimely*),  and  the  successor  region  of  any  region  is  unique,  the  same  regions  are  passed  through  by 
A9 s  run  of  1/.  Thus  there  is  some  time  u[  such  that  v'Q  +  (ux  —  Uq)  =  t>o  4-  (ui  —  uo).  At  this  time  the 
same  transition  is  enabled,  and  the  resulting  clock  region  will  be  the  same,  i.e.  v[  =  vx.  The  rest  of  the 
construction  continues  as  for  this  first  event  of  <r,  yielding  an  accepting  run  of  1/.  □ 
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For  further  reference,  we  present  the  following  propositions. 

Proposition  8.2  Let  Vi1  Vxf  V and  Wx  be  languages  of  timed  traces.  Let  the  untime  and  time  oper¬ 
ators  be  defined  in  terms  of  a  timed  automaton  A  for  Wx,  i.e.  C(A)  =  W* .  Let  V'"*,  Vj0*,  and  V2X  be 
non-timed  languages. 

i)  Vx  C  time(untime(Vrt)) 

ii)  Wx  =  time(untime(W<)) 

in)  pr(W^)  =  time(untime(pr(iyt))) 

iv)  VuX  =  untime(time(V'ut)) 

v)  VI  C  Vf  =>  untime(V?)  C  \mtime(Vf) 

vi)  Vx  C  Wx  O  untime(Vrt)  C  untime(W*) 

vii)  V?x  C  V?x  time(VitIt)  C  time(V2uX). 

Proof:  Parts  (i),  (iv),  (v),  and  (vii)  follow  immediately  from  the  definition  of  time  as  a  one-to-many 
mapping  and  of  untime  as  a  many-to-one  mapping.  Parts  (ii),  (iii),  and  (vi)  rely  on  Proposition  8.1  as 
well.  □ 

Proposition  8.3  Let  Vx ,  ,  V2 ,  and  Wx  be  languages  of  timed  traces.  Let  the  untime  and  time  oper¬ 

ators  be  defined  in  terms  of  a  timed  automaton  A  for  Wx ,  i.e.  C{A)  =  Wx .  Let  Vut>  V\X ,  and  V2X  be 
non-timed  languages.  . 

i)  untime(V7)  0  untime^*)  3  untime(Vi  O  V2  ) 

ii)  untime(Vrt)  fl  untime(Wt)  =  untime(Vr<  fl  Wx) 

iii)  untime(Vr,)nuntime(pr(Wrt))  =  untime(V’<  npr(Wrt)) 

iv)  time(Vitit)  n  time(V?x)  =  time(V^  n  V?x) 

v)  untime(Vr1t)  U  untime^*)  =  untime(V^  U  V2 ) 

vi)  time(Viut)  U  time(V2x)  =  time(F1ut  U  V2X) 

Proof:  Parts  (i),  (iv),  (v),  and  (vi)  follow  from  the  definition  of  untime  as  a  many-to-one  function. 
For  part  (ii)  it  remains  to  be  shown  that  untime(Vx)  H  untime(Wx)  C  untime(Vx  fl  Wx ).  Suppose  w  G 
untime(Vx)nuntime(Wx).  Then  there  exists  a  v  G  Vx  such  that  untime{v)  =  w.  By  Proposition  8.1,  A 
accepts  every  trace  in  time(w)y  and  therefore  accepts  v .  As  A  accepts  Wxy  we  conclude  that  v  G  Vxf)Wty 
and  so  the  result  follows.  The  proof  of  part  (iii)  is  similar.  □ 
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Proposition  8.4  Let  Vt  be  a  timed  language  over  E.  Let  Vut  be  a  non-timed  language  over  E  U  {r}. 
Then 

i)  pr(time(l™*))  =  timefrr^)) 

ii)  pr(untime(^*))  =  untime(pr(Vr1)) 

Proof: 

i)  Without  loss  of  generality,  we  suppose  that  Kut  consists  of  the  singleton  string  w.  We  show 
inclusion  in  both  directions. 

Let  ^  be  in  pr(time(w)).  Then  there  exists  v  G  time(w)  such  that  \i  is  a  prefix  of  v .  Applying 
the  untime  function  to  both  timed  strings  implies  that  untime(fi)  is  a  prefix  of  untime(v))  which 
is  w .  Hence  /i  is  in  time(pr(w)). 

Now  suppose  \x  is  in  time(pr(w)).  Then  there  is  a  string  v  such  that  v  is  a  prefix  of  w ,  and  \i  is 
in  time(v).  Since  every  timed  string  in  time(v)  can  be  extended  to  a  timed  string  in  time(v.v'), 
with  vf  an  untimed  sequence,  there  is  a  timed  string  v  in  time(w)  of  which  /i  is  a  prefix.  So  fi  is 
in  pr(time(w)). 

ii)  Analogous  to  (i). 

□ 

8.4  Untimed  Automata 

Let  A  be  a  finite-state  timed  automaton.  We  now  define  the  untimed  finite-state  automaton  Untime(A)  = 
(Eut,  Qu\  6ut ,  Fut)  with  alphabet  Eut  =  EU  {r},  states  Qut  =  Q  x  Regs(A ),  and  final  states  Fui  = 

F  x  Regs(A).  The  initial  states  are  Iut  =  7  x  iteg^Ot,).  The  transition  relation  6ut  C  Qut  x  Eut  x  Qut 
is  given  by 

i)  (event  occurs ):  ((g,  reg(v)),  <r,  (g',  reg(v')))  G  Sut  for  <r  G  E  if  there  exists  a  tuple  (g,  g',  a,  n,E)  €  6 
such  that  v  satisfies  E  and  vf  =  [7r  i— ►  0]v. 

ii)  ( time  passes ):  ({g,  reg(v)),  r,  (g,  reg(t/)))  G  Sut  if  succ(reg(t;))  =  reg(v '). 

Lemma  8.1 

i)  The  automaton  XJntime(A)  is  deterministic  and  accepts  the  language  untime,*  (C(A)). 

ii)  time.*(£(Untime(.4)))  =  C(A ). 

Proof:  Immediate  from  the  construction  and  Proposition  8.1.  D 

The  following  lemma  states  the  complexity  of  the  untiming  operation  in  a  slightly  different  form 
from  [8]. 
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Lemma  8.2  The  automaton  Untime(.4)  has  0(|Q|  *2^  ^+1+I°gJvl)  states  and  0([|Q|-f- 1^|] -2^ R+i+tog^l) 
edges ,  where  £  is  the  number  of  bits  needed  to  encode  the  largest  integer  constant  in  the  transitions ’  timing 
constraints.  Furthermore  it  can  be  constructed  in  time  0([|Q|+iV’-|6|]*2Ar  ^+1+Ios^ •TV'  •  [log TV  +  .£  +  2]). 

Proof:  The  states  of  Untime(A)  are  pairings  of  states  of  A  with  regions  of  A .  The  number  of  regions 
is  the  number  of  equivalence  classes  of  .4’s  clock  evaluations,  which  is  bounded  by  (n<-i.  .N(cXi  +2))  • 
(2^  •  TV!).  Recall  that  cXi  stands  for  the  largest  constant  that  clock  i  is  compared  to.  This  expression 
represents  the  product  of  the  number  of  integer  values  for  the  clocks  multiplied  by  the  number  of 
orderings  of  the  fractional  parts  of  the  clocks,  and  is  0(2^ R+i+iogiV])  Hence  the  number  of  states  is 
0(\Q\  .  2^+1+logAr]). 

The  untimed  automaton’s  next-state  relation  has  exactly  one  edge  labeled  r  for  every  state  in 
Untime(A).  For  every  edge  out  of  q  in  A,  there  is  at  most  one  edge  in  Untime(A)  out  of  (g,a)  for  any 
region  a.  Hence  the  number  of  edges  is  0([|Q|  +  |6|]  •  2iV*t£+1+lo*Jvl). 

First  notice  that  each  region  can  be  represented  by  a  bit  vector.  The  representation  consists  of 
the  integer  clock  values  and  the  ordering  of  the  fractional  parts  of  the  TV  clocks.  Its  size  is  bounded 
by  0(TV  •  [log  TV  +  £  +  2]).  Computing  the  r-successor  of  each  region  can  be  done  in  time  linear 
in  the  size  of  the  representation  of  the  region.  Thus  computing  all  r- successors  takes  time 
0(\Q\  •  .  TV  •  [log  TV  -f  £  +  2]).  Testing  whether  a  transition  in  A  should  be  enabled  in 

the  untimed  automaton  state  {$,  a)  and  computing  the  correct  successor  state  after  resetting  the 
clocks  is  an  0(TV  •  TV  •  [log  TV  +  £  +  2])  operation.  Thus  all  non-r  edges  can  be  computed  in  time 
0(\6\  •  2JV*[*+1+I°e^  •  TV  •  TV  •  [log TV  +  £  +  2]).  □ 

The  same  techniques  can  be  used  to  construct  an  untimed  automaton  accepting  the  untimed  language 
of  a  TBA.  The  construction  is  more  complicated  because  it  must  also  take  into  account  the  finiteness 
condition. 

Lemma  8.3  Given  a  deterministic  timed  Buchi  automaton  A,  a  deterministic  untimed  Buchi  automa¬ 
ton  accepting  untime(£(.A))  can  be  constructed.  Its  size  is  0(|Q||TV|  •  2^ '^+1+log^). 

Proof:  The  proof  is  along  the  lines  of  the  one  given  in  [8].  Recall  that  an  infinite  run  of  the  TBA  A 
is  accepting  if  it  passes  through  infinitely  many  final  states  of  A ,  and  time  progresses.  Consider  the 
automaton  U  resulting  from  the  same  untiming  construction  as  for  timed  regular  automata.  Unfortu¬ 
nately  when  it  is  interpreted  as  a  Biichi  automaton,  the  language  accepted  is  not  untime(C(B)).  While 
it  does  accepts  every  string  in  untime(C(B))1  it  also  accepts  some  infinite  untimed  traces  that  do  not 
correspond  to  infinite  timed  traces  accepted  by  B:  namely  runs  for  executions  with  infinitely  many 
events  in  a  finite  time  interval,  where  time  does  not  progress.  We  must  therefore  restrict  U  to  runs  that 
do  reflect  the  progress  of  time,  by  enforcing  an  additional  acceptance  constraint. 

Consider  a  run  of  A  for  a  timed  trace  v  for  which  time  progresses  without  bound.  Every  clock  is 
either  reset  infinitely  often  or  allowed  to  advance  indefinitely.  Therefore  ITs  run  for  untimely)  must 
satisfy  one  of  two  conditions  for  every  clock  i .  Either  there  are  infinitely  many  transitions  corresponding 
to  clock  i’s  being  reset,  or  the  run  reflects  clock  i  being  unbounded  in  the  tail  of  its  run.  This  latter 
condition  is  the  same  as  having  «4’s  run  eventually  remain  among  states  whose  clock  valuation  component 
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indicates  the  clock  has  passed  its  maximal  reference  value.  In  other  words,  clock  i  eventually  always  has 
a  value  greater  than  c,*,  the  largest  integer  to  which  clock  i  is  ever  compared.  While  these  conditions 
are  not  Biichi  conditions  on  the  untimed  automaton  £/,  it  is  not  difficult  to  transform  U  into  a  Biichi 
automaton  that  only  accepts  runs  satisfying  these  conditions.  The  size  of  the  automaton  is  multiplied 
by  the  number  of  clocks.  □ 


9  Supervisor  Synthesis 

The  supervisor  synthesis  problem  consists  of  constructing  a  non-blocking  supervisor  such  that  the  closed- 
loop  behavior  is  contained  in  a  given  specification  language.  When  a  plant  and  its  specification  are  given 
as  untimed  deterministic  finite-state  automata,  the  supervisor  synthesis  problem  is  polynomially  solvable 
[3].  In  this  section  we  show  that  when  real-time  is  introduced  into  the  supervisory  control  problem, 
and  the  problem  is  represented  by  finite-state  deterministic  timed  automata,  the  synthesis  problem 
remains  decidable.  The  algorithm  uses  the  untiming  techniques  of  the  previous  section  to  reduce  the 
timed  problem  into  the  familiar  untimed  synthesis  problem.  The  total  complexity  of  the  timed  synthesis 
algorithms  is  exponential,  due  to  the  exponential  blow-up  in  the  untiming  operation. 

For  clarity,  we  shall  superscript  timed  and  untimed  languages  with  “t”  and  “ut”  in  the  remainder 
of  this  section. 


9.1  Languages  of  Finite  Timed  Traces 

9.1.1  Synchronizing  Plant  and  Specification  Automata 

In  light  of  the  previous  section,  it  may  be  tempting  to  solve  the  synthesis  problem  for  timed  traces  by 
untiming  the  automata,  and  then  applying  the  synthesis  algorithm  for  untimed  processes.  However, 
this  reduction  is  unsound,  since  the  timing  information  in  the  individual  automata  is  independent,  i.e. 
a  timed  trace  would  have  different  untimed  representations  when  untimed  with  respect  to  the  plant 
automaton  and  with  respect  to  the  specification  automaton. 

We  must  first  synchronize  the  automata.  Let  Ai  and  A2  be  deterministic  timed  automata.  Con¬ 
struct  the  timed  automaton  A[  =  comp{A\)  x  C2  where  C2  is  obtained  by  making  all  states  of  the 
completion  comp(A2)  final.  Notice  that  A[  has  a  run  for  every  finite  timed  trace,  and  that  A\  accepts 
L(^4i).  Intuitively  A\  inherits  the  state-transition  structure  and  clock-resetting  properties  of  A2  without 
changing  its  acceptance  conditions.  Let  A2  be  similarly  defined. 

Lemma  9.1  For  every  timed  trace  v}  untime^'  (1/)  =  untime^^i/). 

Proof:  The  automaton  comp(Ai)  differs  from  C,*  only  in  its  final  states.  Therefore  by  the  construction  of 
A[  and  A'2  and  the  definition  of  the  product  of  two  automata,  A\  and  A'2  have  identical  alphabets,  state 
sets,  initial  states,  clocks,  and  transition  functions.  They  differ  only  in  their  final  states.  The  definition 
of  untime a(v)  is  independent  of  the  final  states  of  A  and  therefore  it  follows  that  untime a[{v)  — 
untime  ^(1/).  □ 
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Note  also  that  when  a  timed  automaton  is  untimed,  the  original  final  states  of  the  timed  automaton 
affect  only  the  final  states  of  the  untimed  automaton,  not  the  transition  structure.  Therefore,  the 
automata  Untime(A[)  and  Uniime(A'2)  share  the  same  transition  structure.  They  too  differ  only  in 
their  final  states.  We  consider  the  automaton  Uniime(AfLt)  to  be  synchronized  with  Untime(AfEt)  in 
the  sense  that  their  transition  tables  are  identical. 

9.1.2  Reduction  to  Untimed  Supervisory  Control  Problem 

Suppose  we  are  interested  in  the  timed  supervisory  control  problem,  with  timed  plant  language  L1 ,  timed 
specification  language  Ex ,  and  uncontrollable  events  Eu.  Let  Ae*  Al *  be  TRA  for  the  specification 
and  plant  languages  Et  and  L*.  Let  their  primed  versions  be  obtained  by  synchronizing  the  automata  as 
described  in  the  previous  section.  We  show  that  it  is  sufficient  to  solve  instead  the  untimed  supervisory 
control  problem  with  the  (untimed)  plant  language  Lut ,  (untimed)  specification  language  Eu\  and 
uncontrollable  events  EJJ*  =  E„  U  {r},  where  Lut  =  uniime  ^{V)  and  Eut  =  untime ^(E*).  From 
now  on,  we  use  the  unsubscripted  function  untime  to  mean  untime #  and  untime since  they 
represent  the  same  function.  The  same  is  done  for  the  time  operator.  Note  that  E*  =  time(untime(Et)) 
and  L*  =  time{untime{Lt))^  because  of  Proposition  8.1. 

Notice  that  in  the  untimed  problem,  the  passing  of  time,  as  represented  by  the  special  newly- 
introduced  event  r,  is  an  uncontrollable  event,  i.e.  the  uncontrollable  events  for  the  untimed  supervisor 
problem  is  E“*  =  E„  U  {r}. 

Theorem  9.1  Let  Kx  be  a  timed  language  over  the  alphabet  E,  and  let  Kut  be  an  untimed  language 
over  the  alphabet  E  U  {t}. 

i)  If  Kut  is  [untime^^Eu  U  {r}]- controllable  and  untim e{Lx)-closed  then  time(A'ut)  is 
[L* controllable  and  Lx -closed. 

it)  If  K%  is  [L* ,E„]- controllable  and  Lf -closed  then  untime(tf*)  is  [untime(L*),  Eu  U  {r}]- controllable 
and  untim e(Lf)-c/ose(i. 

Proof:  See  Appendix  A.  a 

The  following  useful  corollary  relates  the  supremal  controllable  and  closed  sublanguages  of  the  timed 
and  untimed  problems. 

Corollary  9.1  sup Cf*f* [£*,£„] (Ex)  =  time(supC^[untime(L*), Eu  U  {r}](untime(^))). 

Proof:  We  show  containment  in  two  directions.  For  notational  convenience,  let  Lut  =  untime^),  and 
let  Eut  =  untime(Et). 

LHS  C  RHS: 

Taking  K  to  be  £‘T  =  sup C^’,’*[It,ElJ(£*)  in  Theorem  9.1  implies  the  language  untime(E^)  is 
[Lut,  Eu  U  {r}]-controllable  and  ^“‘-closed.  Furthermore  it  is  contained  in  untime(E*)  by  monotonicity 
of  the  untime  operator,  and  is  therefore  a  subset  of  sup  C^"’[Lut,Eu  U  It  follows  that  E^  = 

time(untime(E*^))  C  i:me(supC^*[Luf,Eu  U  {r}](£^‘))>  “  required. 
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RHS  C  LHS: 

Taking  Kut  to  be  (£U*)T  =  sup  CF*[Lut,  U  {r}](Eut)  in  Theorem  9.1  implies  iime((Eut) T)  is 
[^ ,  Su] -controllable  and  T*-closed.  Clearly  (£'ut)l  C  uniime(Et).  As  the  two  automata  Ae*  and 
Al*  are  synchronized  and  because  of  Proposition  8.1,  iime(uniime(Et ))  =  E% .  It  follows  then  that 
iime((Euty)  C  Ef,  and  is  therefore  a  subset  of  sup  CTX^[LX ,  Eu] (E1).  □ 


9.1.3  Synthesis  Procedure 

From  the  previous  subsection  it  follows  that  the  timed  supervisor  for  time(supCF*[Lut,T,"t](Evt)),  as 
constructed  in  Theorem  6.1  is  the  least  restrictive  controller  for  the  timed  supervisory  control  prob¬ 
lem.  This  result  suggests  the  following  procedure  for  finding  the  least  restrictive  controller  in  a  timed 
supervisory  control  problem:  firstly,  synchronize  the  timed  automata  for  the  plant  and  its  specifica¬ 
tion;  secondly  untime  them;  thirdly,  solve  the  untimed  supervisory  control  problem;  fourthly,  time  the 
supremal  solution;  finally  extract  a  supervisor.  This  is  shown  in  Figure  3. 

However,  given  a  controllable  and  closed  language  I<ut,  it  is  not  necessary  to  first  time  Kut  in 
order  to  extract  a  timed  supervisor  for  time(Kut).  Instead  it  is  possible  to  construct  the  desired  timed 
supervisor  /  directly  from  an  untimed  supervisor  for  Kut,  as  follows: 

cr  G  f{v,t)  iff<r  G  /“* (untime A^t{v.{e,t)))-  (1) 

During  a  timed  execution  the  supervisor  /  monitors  time  and  simulates  the  actions  of  automaton 
A'Li .  At  any  given  time  it  can  determine  the  state  of  A'L,  and  the  current  clock  valuation.  Hence  it  can 
also  determine  the  untimed  trace  corresponding  to  the  timed  execution  seen  so  far.  The  supervisor  / 
allows  an  action  if  and  only  if  /“*  allows  the  action  for  this  untimed  trace. 

Lemma  9.2  The  timed  supervisor  f  derived  as  above  from  the  untimed  supervisor  /“*  for  Kut  yields 
the  supervised  timed  language  time(ATut). 

Proof:  Let  L*s  be  the  language  resulting  from  /’ s  supervision  of  the  plant  Lt.  We  need  to  prove  that 
L)  =  time(Kut).  As  untime(v(e,t)).<r  G  pr(Kut)  if  and  only  if  v{<x,t )  G  pr(time(Kut)),  it  follows  that 
the  prefixes  Lq  resulting  from  f’s  supervision  of  V  are  time{pr{Kui)).  L)  is  by  definition  L‘  n  L\ 
which  is  the  same  as  time(pr(Kut))  n  L*.  Because  of  Propositions  8.3  and  8.4,  this  in  turn  is  equal  to 
time(Kut)  and  the  lemma  follows.  □ 

Theorem  9.2  Let  the  specification  Ei  and  the  plant  L*  be  languages  of  finite  timed  traces  such  that 
E*  C  L* .  Let  Ae‘  and  Al «  be  deterministic  timed  regular  automata  such  that  E*  =  C(Ae>)  and 
L*  =  C(Al<)-  The  supervisory  control  problem  is  solvable  in  time  polynomial  in  the  sizes  of  Ae<  and 
Av  and  exponential  in  the  total  number  of  clocks  and  the  bit-length  of  their  timing  constants. 

Proof:  By  Corollary  9.1  we  may  reduce  the  control  problem  over  timed  traces  to  that  for  untimed 
traces.  The  automaton  representations  remain  deterministic,  and  so  the  untimed  problem  can  be  solved 
in  the  usual  way.  The  solution  yields  a  supervisor  for  the  supremal  controllable  sublanguage,  where 
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the  passing  of  time,  as  represented  by  the  r  event,  is  considered  an  uncontrollable  event.  The  timed 
supervisor  is  extracted  directly  from  the  untimed  supervisor  as  shown  above.  The  complexity  follows 
from  the  complexity  of  the  untiming  construction  in  Lemma  8.2.  □ 


9.2  Languages  of  Infinite  Timed  Traces 

9.2.1  Reduction  to  Untimed  Supervisory  Control  Problem 

Just  as  for  finite  timed  traces,  the  supervisory  control  problem  for  infinite  timed  traces  can  be  reduced 
to  the  untimed  problem. 

We  would  like  to  show  a  correspondence  between  supervised  timed  languages  and  supervised  untimed 
languages,  analogous  to  the  finite  trace  case.  Theorem  9.1  of  the  previous  subsection  gives  a  direct 
relationship  between  individual  supervised  languages  of  finite  traces,  but  only  the  equivalent  of  part  (i) 
is  true  in  the  infinite  trace  case. 

Theorem  9.3  Let  S1  =  time(Sui)  and  let  Bui  C  5“*  be  an  untimed  infinite  language  over  the  alphabet 
SU{r}.  Ifpr(But)  is  [pr(untime(S*)),  Eu  U  {r}]~  controllable  and  But  is  closed  wrt.  untime(5t)  then 
pr(time(Ru*))  is  [pr(S*),  Eu]- controllable  and  time(But)  is  closed  wrt .  S* . 

Proof:  See  Appendix  A.  □ 

Unfortunately  it  is  not  true  that  untiming  an  arbitrary  supervised  timed  language  gives  a  supervised 
untimed  language. 

Example  9.1  Let  S*  be  the  language  accepted  by  the  TBA  As *  of  Figure  4,  where  Eu  =  {it}  and 
Ec  =  {a,  &}.  Consider  the  language  Bx  =  {{«,*),  {a,  1  -f  t),  (a,  2  4-  t), . . . ,  (a,*'  +  t)9  +  1+*),(M'4- 

2-M),...|0<*<l,*/=  mi  Its  prefixes  are  controllable  wrt.  S* .  Furthermore  it  is  closed  relative 
to  S*  because  every  prefix  v  with  tv  >  1  is  a  prefix  of  a  unique  string  i/  £  Bx .  Thus  there  is  a  supervisor 
/  for  Bx  :  it  observes  the  occurrence  time  t  of  the  uncontrollable  event  u,  and  then  allows  the  correct 
number  of  a  events  before  continually  allowing  only  b  events. 

Untiming  B*  gives  the  language  untime^B*)  =  But  =  {ru(rra)*(rr6)a;},  and  untime(St)  =  S**  = 
But  U  { Tu{rra)w }.  While  pr(Rut)  is  controllable,  it  is  not  closed  relative  to  Suty  because  ru(rra)w  € 
pr(B)°°  is  an  adherent  point  of  But.  Thus  untime(Bt)  is  not  a  supervised  sublanguage  of  untime(St ). 
□ 


Instead  we  relate  the  union  of  supervised  timed  languages  to  the  union  of  supervised  untimed  lan¬ 
guages. 

Theorem  9.4  Let  &  be  a  plant  language  of  infinite  timed  traces  represented  by  the  TBA  As*  *  Let 
Bx  C  S*  be  a  language  of  infinite  timed  traces.  If  pr(R*)  is  [pr(S*),E u]- controllable  and  Bx  is  closed 
relative  to  5* ,  then  B%  =  such  that  each  untime(R„)  is  [untime(5t))EuU  {r}]- controllable  and 

closed  relative  to  untime(5t).  In  additionr  pr(untime(Bt))  is  [untime(5*),Ew  U  {t}]- controllable  and 
untimeCB*)  =  UI/€B<untime(Sv). 
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Proof:  Throughout  this  proof,  untime  is  used  to  represent  the  function  untime as,  .  The  [un*tme(S*),  E^U 
{r}]-controllability  of  pr(untime(Bt))  can  be  derived  as  in  the  proof  of  Theorem  9.1. 

Assume  that  Bv  has  the  following  properties. 

i)  »EBV, 

ii)  Bv  C  Bx, 

iii)  for  all  v\%v2  €  pr(Bu ),  untime{u i)  =  untime(i/2)  =>  v\  E  pr(i/2)  or  v2  E  pr{u\ ), 

iv)  pr(untime(Bl/))  is  [untime(St)1  Eu  U  {r}]-controllable. 

v)  Bv  is  closed  relative  to  S* . 

It  is  clear  that  Bi  =  U| ,^BtBv  and  uniime(Bt)  =  untim e(Bu).  By  assumption  (condition  (iv)), 

pr(untime{Bu))  is  [ untime(St ),  Eu  U  {r}]-controllable.  Let  us  show  that  uniime{Bv)  is  also  untime(Sty 
closed. 

Suppose  an  infinite  untimed  string  w  has  infinitely  many  prefixes  in  untime(Bt/).  To  prove  untime{Bv) 
is  closed  relative  to  untime(St)}  we  must  show  that  either  w  is  in  untime{Bv)  or  not  in  untime(St). 
From  each  of  these  prefixes  chose  a  timed  string  /i,*  E  pr{Bu)  such  that  untime{m)  =  Because 
these  timed  strings  are  extensions  of  each  other,  their  limit  is  an  infinite  trace  /i,  where  untime(fi)  =  w. 
Relative  closure  of  Bv  with  respect  to  S1  implies  that  either  fi  is  not  in  S*  or  /i  is  in  Bv.  If  is  in 
Bv  then  clearly  w  is  in  untime(Bu).  If  \x  is  not  in  S *,  then  uniime(fi)  is  not  in  untime(St)  because 
S*  =  time(untime(Si)).  Thus  the  language  untime(Bl/)  is  closed  relative  to  uniime(St). 

It  remains  to  show  that  a  language  Bv  exists  for  each  trace  v  E  Bx .  To  see  that  such  a  language 
does  indeed  exists,  consider  first  BU} 0  =  {u}.  Clearly  it  satisfies  the  first  three  conditions.  Traces 
from  Bi  can  be  added  until  condition  (iv)  is  met  without  violating  conditions  (i)— (iii).  Assume  there 
is  w  E  pr(untime(BUto))  such  that  tu.(Eu  U  {r})  fi  untime(Si)  0  pr{untime{Bv$)).  As  Bl  is  [S^E*,]- 
controllable  and  accepted  by  the  TBA  As*,  there  is  a  trace  vw  E  time[w.( Eu  U  {r}).(Eu  U  {r})"]  H  Bf 
that  can  be  added  to  BVi$  and  that  does  not  violate  (iii).  Indeed  time(w)  will  be  a  prefix  of  vw .  This 
can  be  done  until  pr(untime(Bl/} o))  is  [untime(St),  Eu  U  {r}]-controllable,  thereby  meeting  condition 
(iv).  As  untime(Bi)  is  [untime(Si)y  Eu  U  {r}]-controllable,  the  language  BUt o  will  be  contained  in  Bi1 
thus  meeting  condition  (ii).  Now  take  Bv  to  be  pr{Bv^)°°  HBt.  As  Bf  is  closed  relative  to  5*,  it  follows 
that  Bv  is  closed  relative  to  S*.  It  is  easy  to  see  that  Bu  meets  all  conditions  (i)-(v)  above.  □ 

Corollary  9.2  Let  S*  be  a  plant  language  of  infinite  timed  traces  represented  by  the  TBA  A'St  and  let 
A*  be  a  specification  language  of  timed  infinite  traces. 

i)  untime(U CFt,<4'[5*,  EuKA*))  =  UCJ^ntime^E*  U  {^(untime^*)) 

ii)  U£F*’a;[S't,Eu](At)  =  time(uC^rW[untime(5t),Eti  U  {r}](untime(At)) 

Proof:  To  enhance  readability,  we  use  timed-solns  to  denote  CTX [5* ,  Eu] ( A* ) ,  and  untimed-solns  to 
denote  CJ^ [uniime{St ,  EuU{r}](«n<ime(A*)).  The  union  operator  U  applied  to  a  class  means  the  union 
over  the  members  of  the  class. 
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i)  LHS  C  RHS:  untime(Utimed-solns)  =  U uniime(timed-solns)  C  U untimed-solns,  by  Theorem  9.4. 
RHS  C  LHS:  time(\Juntimed-solns)  =  Uh'me(unh’med-so/ns)  C  U iimed-solns,  by  Theorem  9.3. 

ii)  LHS  C  RHS:  Apply  the  time  operator  to  both  sides  of  part  (i),  then  observe  that  U timed-solns  C 
time(untime(Utimed-soln$)). 

RHS  C  LHS:  proven  above. 

□ 


Corollary  9.3  The  infinite  timed  supervisory  control  problem  for  the  plant  S'*  and  the  specification  A* 
has  a  non-trivial  solution  (i.e.  the  class  contains  a  non-empty  language)  if  and  only 

if 

UC.7^[untime(  £*),£„  U  {r}](untime(A*))  ^  0 


Proof:  Immediate  from  Corollary  9.2. 


9.2.2  Synthesis  Procedure 

The  synthesis  procedure  that  solves  the  infinite  timed  supervisory  control  problem  is  shown  in  Figure  5. 
Firstly,  synchronize  the  timed  automata  for  the  plant  and  its  specification;  secondly,  untime  them; 
thirdly,  compute  the  language  that  characterizes  the  solution  of  the  untimed  supervisory  control  problem 
as  in  [16];  derive  a  solution  to  the  untimed  supervisory  control  problem;  time  the  solution;  finally  extract 
a  supervisor. 

Just  as  in  the  finite  case  however,  a  supervisor  can  be  extracted  directly. 

Lemma  9.3  The  timed  supervisor  f  derived  as  in  equation  (1)  from  the  untimed  supervisor  for  But 
yields  the  supervised  timed  language  time(Htlt). 

Proof:  Analogous  to  Lemma  9.2.  □ 

The  following  theorem  illustrates  the  feasibility  of  the  synthesis  procedure. 

Theorem  9.5  Let  the  specification  Ax  and  the  plant  S*  be  languages  of  infinite  timed  traces  such  that 
A*  C  S* .  Let  and  be  deterministic  timed  Buchi  automata  such  that  At  =  C{A1a)  and  S*  =  £(*45). 
The  supervisory  control  problem  is  solvable  in  time  polynomial  in  the  sizes  ofA*s  and  Aa  and  exponential 
in  the  total  number  of  clocks  and  the  bit-length  of  their  timing  constants . 

Proof:  Follows  from  Corollary  9.3,  Lemma  9.3,  Theorem  3.3  and  Lemma  8.3.  □ 
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9.3  Lower  Bound  on  Complexity 

We  now  show  that  we  cannot  expect  to  solve  the  timed  supervisory  problem  more  efficiently  than 
outlined  above.  The  complexity  of  the  problem  is  tied  to  the  expressiveness  of  timed  automata.  Even 
the  task  of  analyzing  whether  a  timed  automaton  accepts  any  timed  trace  at  all  is  computationally 
difficult. 

Theorem  9.6  ([12],  Theorem  3.39)  Deciding  em-ptiness  of  a  timed  Buchi  automaton  is  PSPACE- 
hard.  □ 

From  this  result,  we  can  prove  the  following  lower  bound  on  the  complexity  of  timed  supervisory 
control. 

Corollary  9.4  The  timed  supervisory  control  problem  for  both  finite  and  infinite  traces  is  PSPACE- 
hard. 

Proof:  We  first  show  that  the  problem  of  deciding  emptiness  of  a  timed  regular  automaton  is  PSPACE- 
hard.  We  refer  the  reader  to  the  proof  of  Theorem  3.39  in  [12]  for  details,  and  merely  indicate  the  idea 
involved.  We  observe  that  only  trivial  modification  need  be  made  to  Alur’s  proof  [12]  that  checking  for 
emptiness  of  a  timed  Buchi  automaton  is  PSPACE-hard.  The  problem  of  deciding  whether  a  linear- 
bounded  automaton  (LBA)  accepts  a  given  input  string  is  a  well-known  PS  PACE-complete  problem. 
From  an  instance  of  this  problem,  Alur  constructs  a  TBA  that  has  a  non-empty  language  iff  the  LBA 
accepts  its  input.  The  proof  could  just  as  well  construct  a  timed  regular  automaton,  thereby  reducing 
the  LBA  problem  to  the  emptiness  problem  for  timed  regular  automata. 

Since  checking  emptiness  for  deterministic  timed  regular  automata  is  no  simpler  than  for  nonde- 
terministic  automata,  the  emptiness  problem  for  the  class  of  deterministic  automata  is  also  PSPACE- 
complete. 

We  now  show  that  the  emptiness  problem  for  deterministic  timed  regular  automata  reduces  to  the 
timed  supervisory  control  problem.  Suppose  we  are  given  the  deterministic  TRA  A  over  the  alphabet  £. 
Assume  without  loss  of  generality  that  no  event  is  enabled  at  time  0.  Consider  the  supervisory  control 
problem  where  the  plant  is  represented  by  an  automaton  accepting  the  language  (a,0).£(.4),  where  a 
is  a  symbol  not  in  E,  and  the  specification  language  is  {(a,0)}.  The  event  a  is  controllable,  while  all 
events  in  £  are  uncontrollable.  Then  C{A)  is  empty  iff  there  is  a  supervisor  for  this  control  problem.  □ 

Thus  it  is  extremely  unlikely  that  there  is  an  algorithm  for  the  timed  supervisory  control  problem 
that  is  not  exponential.  Alur  and  Dill  [8]  note  that  the  proof  of  PSPACE-hardness  does  not  depend  on 
the  choice  of  IR+  as  the  time  domain;  the  same  result  holds  when  using  a  discrete  time  domain.  These 
results  suggest  that  further  work  needs  to  be  done  to  discover  strict  subclasses  of  timed  automata  for 
which  the  problem  is  polynomially  solvable. 
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10  Synthesis  Examples 

10.1  A  Semiconductor  Manufacturing  Example 

We  now  describe  a  synthesis  example  in  some  detail.  The  example  uses  a  simplified  timed  model  of  a 
part  of  a  semiconductor  wafer  processing  furnace.  The  specification  requires  that  a  semiconductor  wafer 
needs  to  be  cleaned  from  spurious  traces  of  oxide  that  inevitably  contaminate  the  wafer  in  the  ambient 
environment.  This  cleaning  is  performed  under  a  flow  of  hydrogen  and  at  the  right  temperature.  The 
plant  and  specification  model  are  given  as  languages  of  finite  timed  traces. 

A  timed  automaton  plant  model  for  the  process  under  consideration  is  shown  in  Figure  6.  The 
marking  to  denote  initial  and  final  states  is  conventional;  qo  is  the  only  initial  state  and  the  only 
final  state.  For  the  plant  to  confirm  that  the  wafer  is  clean,  the  wafer  needs  to  be  exposed  to  both 
gas  and  the  right  temperature  for  at  least  one  time  unit.  The  gas  line  and  the  heating  lamp  can 
be  activated  in  either  sequence.  However,  if  the  wafer  is  exposed  longer  than  4  time  units  to  high 
temperature  but  less  than  5  units  to  hydrogen  gas,  it  may  deteriorate.  The  controllable  events  are 
Ec  =  {set-temperature,  enter-gas,  initialize}.  The  uncontrollable  events  are  =  {clean,  deteriorate}. 

The  specification  requires  the  wafer  to  be  clean.  Thereafter  the  plant  can  be  initialized.  A  specifi¬ 
cation  model  is  shown  in  Figure  7. 

Figure  8  illustrates  the  relevant  time  regions.  The  axes  correspond  to  the  two  timers  x\  and  x2. 
Depending  on  the  valuation  of  the  timers,  the  deteriorate  event  can  occur.  The  shaded  area  indicates 
where  this  can  happen.  The  synthesis  procedure  will  make  sure  that  only  time  regions  where  the 
deteriorate  event  cannot  occur  are  reached.  As  both  timers  advance  at  the  same  rate,  the  desirable 
region  is  found  to  the  right  of  the  45°  line.  The  square  at  the  lower  bottom  will  not  be  reached  due  to 
the  time  guard  of  the  clean  event. 

Figure  9  shows  the  supremal  [L,EU]  -controllable  and  L-closed  sublanguage  of  E. 

10.2  A  Non-Terminating  Process  Example 

This  example  demonstrates  the  controller  synthesis  procedure  for  modeling  languages  of  infinite  timed 
traces.  The  plant  process  5  is  given  by  the  automaton  As  of  Figure  10.  It  is  a  timed  Biichi  automaton 
representing  a  resource  allocator.  Again,  the  marking  to  denote  initial  and  final  states  is  conventional; 
qo  is  the  only  initial  state  and  the  only  final  state.  It  continually  responds  to  requests  for  access.  If 
a  request  is  made  too  soon  or  too  late  after  the  last  response,  it  may  be  refused.  Otherwise  it  will  be 
granted  within  5  seconds.  The  controllable  event  is  Ec  =  {request}  and  the  uncontrollable  events  are 
E„  =  {grant ,  refuse }. 

Its  specification  states  that  the  resource  is  always  being  granted  within  6  seconds  of  the  time  of  the 
last  grant.  There  are  to  be  no  refusals.  A  TBA  that  expresses  the  precise  specification  is  shown  in 
Figure  11.  Notice  that  when  synchronizing  the  automata,  the  values  of  the  clock  z  in  the  specification 
will  coincide  with  those  of  the  clock  y  in  the  process. 

The  language  A  =  C(Aa)  is  trivially  closed  relative  to  5,  *.  c.  pr(A)°°  OS  C  A,  since  the  specification 
is  itself  a  closed  language.  We  may  therefore  either  apply  the  synthesis  algorithm  of  Section  9.2.2  to 
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derive  a  controller  if  any  exists  or  the  procedure  described  in  Appendix  B.2.2. 

The  full  synthesis  procedure  yields  the  timed  supervisor  shown  in  Figure  12.  The  figure  is  a  graphical 
representation  of  the  supervisor  function  /.  Just  like  an  automaton,  the  displayed  graph  is  entered  by 
its  initial  state.  For  every  state  and  valuation  of  the  timer  z  a  corresponding  control  mask  7  is  displayed. 

Part  of  the  untiming  construction  is  shown  in  Figure  13.  Here  each  subfigure  represents  a  collection 
of  regions.  For  instance,  subfigure  (i)  represents  all  regions  where  y  is  equal  to  0  and  x  has  any  value  less 
than  3.  A  transition  from  one  subfigure  to  another  represents  a  group  of  transitions  from  the  regions 
of  the  first  subfigure  to  the  regions  of  the  second.  There  is  a  transition  from  every  region  in  the  first 
subfigure  to  some  region  in  the  second,  and  for  every  region  in  the  second  subfigure  there  is  a  transition 
from  one  of  the  regions  in  the  first.  A  transition  labeled  r*  denotes  a  sequence  of  r  events. 

Under  the  least  restrictive  supervisor  shown  in  Figure  12,  the  plant  goes  through  the  cycle  represented 
by  the  subfigures  (i)  to  (vi).  The  request  event  is  only  enabled  from  subfigure  (iv).  If  it  is  enabled  any 
earlier,  a  refusal  is  possible.  For  instance,  a  request  from  subfigure  (ii)  leads  to  subfigure  (vii),  where  the 
process  is  in  state  q 2.  The  only  possible  response  is  now  a  refusal.  After  a  request  from  subfigure  (iii), 
the  process  would  be  in  state  qi  with  its  y  clock  between  1  and  2.  But  now  the  refuse  event  is  enabled. 
Thus  the  supervisor  cannot  allow  the  process  to  perform  a  request  until  y  is  at  least  2. 

11  Conclusion 

The  supervisory  control  problem  over  dense  real-time  can  be  solved  by  combining  techniques  developed 
in  [2,  14]  and  in  [8,  9].  The  complexity  of  finding  controllers  is  polynomial  in  the  number  of  automaton 
states,  and  exponential  in  the  length  of  its  timing  information.  It  is  important  to  realize  that  this 
exponential  factor  is  not  due  to  the  use  of  the  real  numbers  for  time,  since  the  problem  is  PSPACE- 
hard  even  over  a  discrete  domain.  We  are  investigating  how  to  make  reasonable  assumptions  about  the 
system  to  avoid  this  computational  blow-up. 

We  made  some  simplifying  assumptions  on  the  representations  for  timed  languages.  The  timed 
automata  we  defined  accept  only  traces  which  do  not  end  with  nothing  happening,  Le.  timed  regular 
automata  accept  only  traces  that  end  with  events  from  E,  not  with  e,  and  timed  Biichi  automata  accept 
only  infinite  traces  in  which  an  infinite  number  of  events  from  E  occur.  These  restrictions  were  made 
merely  to  simplify  the  exposition,  and  both  can  easily  be  removed. 

In  analogy  to  the  untimed  model,  we  make  the  assumption  that  a  supervisor  can  only  enable  or 
disable  events  rather  than  force  them  upon  the  plant.  This  is  a  strong  model  restriction  because  in  most 
systems  the  supervisor  can  actually  force  or  schedule  events,  just  like  the  plant.  The  semantics  of  the 
presented  model  will  be  modified  to  accommodate  scheduling  capabilities  of  the  supervisor  in  a  later 
publication. 
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In  this  paper  we  make  the  implicit  assumption  that  there  is  no  time  delay  between  the  plant  and  the 
supervisor.  Li  and  Wonham  [21]  relaxed  this  assumption  in  a  setting  of  untimed  traces.  Further  research 
needs  to  be  done  to  incorporate  into  the  framework  an  accurate  and  yet  computationally  feasible  model 
of  communication  delay  between  the  controller  and  plant. 
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A  Proofs 


Lemma  A.l  Let  B  C  S  C  E°°  and  L  C  S'  such  that  L°°  =  S  and  B  is  closed  relative  to  S.  Let 
K  =  pr(5)  fl  L.  Then 

i)  pr (K)  =  pr(£) 

it)  K°°  =  B 

Proof  of  Lemma  A.l: 

i)  We  show  containment  in  two  directions. 
pr(K)  C  pr(B)  —  We  have 

pr(K)  =  pr[pr(B)  D  L]  C  pr(B)  D  pr(L )  =  pr{B). 

pr(B)  C  pr(K )  —  As  B  is  closed  relative  to  S  =  L°° ,  we  have 

pr(B)°°  fl  L°°  =  B 

=>  [pr(B)  0  L)°°  =  B 

=>  K°°  =  B 

=>  D  pr(K°°)  =  pr(B) 

ii)  See  proof  of  (i). 

□ 

Proof  of  Theorem  6.1: 

(if)  Since  pr(B)  is  nonempty  and  controllable  wrt.  S  it  follows  from  Theorem  6.1  that  there  exists 
a  supervisor  /  such  that  Lo  =  pr(B).  By  the  definition  of  S/, 

Sj  =  pr(B)°°  H  5 
=  B. 

Furthermore,  pr(Sj)  =  pr(B)  =  Lo,  which  implies  that  /  is  non-blocking. 

(only  if)  If  there  exists  a  non-blocking  supervisor  /  such  that  Sj  =  B ,  then 

Lo  =  pr{Sj)  =  pr(B). 

From  Theorem  5.1,  pr(B)  is  controllable  wrt.  pr(S).  The  definition  of  Sj  yields 

B  =  Sj 
=  Lq3  H  5 
=  pr(B)°°  fl  S. 

And  so  B  is  closed  relative  to  S.  D 
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Proof  of  Theorem  6.3: 


i)  This  follows  directly  from  the  fact  that  pr(Uj  JB»)  =  U ipr(Bi)  and  from  Theorem  5.2(i). 

ii)  Let  Bi  and  B2  be  closed  relative  to  5.  Then 

pr(Bi  U  B2)00  D  5  =  (M5i)Upr(B2))°°n5 
=  priB^Upr^^OS 
=  B\  U  B2. 

Thus  B\  U  B2  is  closed  relative  to  5. 

iii)  Denote  by  U {Bi  the  exhaustive  union  of  all  elements  of  C!Ft,w(B).  Let 

BT  =  pr(U,B,)°°  ns. 

We  first  show  that  pr(BT)  is  controllable  wrt.  pr(5). 

pr(5T)  C  pr[pr(U;Bj)°°]  H  pr(5) 

=  pr(UiBi)  n  pr(S) 

=  U  ipr(Bi) 

Conversely  if  v  G  U,pr(B),  then  v(t)  =  /r(f),Vf  €  I„  for  some  i  and  pt  G  B,.  Since  B,  G  S, 
also  fi  G  5.  Thus,  pt  G  pr(U,B,)°°  05  =  B^,  and  it  follows  that  v  G  pr(B^).  This  shows 
that  pr(B^)  =  U ,pr(B,).  Now  since  for  each  i,  pr(Bi)  is  a  controllable  language,  it  follows  from 
Theorem  5.2  that  pr(BT)  is  controllable. 

Furthermore, 

pr(BT)°°0  5  =  pr[pr(U,B,)°°  O  5]°°  O  5 
C  pr(U,Bj)°°  O  5 
=  BC 

So  BT  is  closed  relative  to  S. 

We  show  now  that  B^  is  a  subset  of  B.  For  this  we  use  the  assumption  that  B  is  closed  relative 
to  S, 

BT  =  pr(U,B,)°°  O S  C  pr(B)°°  05  =  B. 

Thus  BT  is  in  CT*’W[S,  EU](B). 

It  is  easy  to  see  that  BT  is  supremal.  Since  Bi  C  B  C  5,  B,  C  U,B.4  C  pr(U,B,)°°  it  is  clear  that 
for  each  i,  B,  C  BT.  Thus  supCF'^B.EuKB)  =  BT. 

□ 


Proof  of  Theorem  9.1: 

The  following  proof  makes  use  of  the  results  of  Section  8.3.  To  see  that  the  propositions  apply,  notice 
that  the  untime  function  is  defined  in  terms  of  an  automaton  A  that  accepts  L*. 

To  simplify  the  exposition,  first  observe  that  controllability  condition  for  an  untimed  language  Kut 
wrt.  and  V  is  equivalent  to  the  following: 

pr(i^ut)(E“t)*  D  pr(Lut)  C  pr(Kut) 
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i)  Let  Kut  be  any  language  that  is  Xu*-closed  and  controllable  wrt.  Lut  and  Eu  U  {r}.  We  show  that 
Kx  =  time(Kut )  is  £*-closed  and  controllable  wrt.  V  and  Eu. 

Controllability: 

pr(Kut)(EuU{r}ynpr(Lut)  C  pr(KuX) 
iime\pr(Kut)(Slu  U  {r})*  0  pr(LuX)]  C  iime[pr(Kut)] 

=>  iime[pr(Kui)( Eu  U  {r})*]  H  time[pr(Lut)\  C  time[pr(KuX)] 

=>  time[pr(Kut)]( Ew  U  {e}  x  IR+)  H  time[pr(LuX)]  C  time[pr(KuX)] 

=>  pr(<ime[l?,|4t])(E,,  U  {c}  x  IR+)  fl  pr(<zme[Lut])  C  pr(fime[^ut]) 

=*  pr(^t)(EtiU{e}xIR+)npr(Lt)  C  pr(Kx) 


Closedness: 

pr(I<ut)C\Lut 
=►  *ime[pr(ifut)  n  Lut] 

=>•  fime[pr(XTut)]  H  fime[Xut] 
=$►  pr[fime(i^,it)]  fl  time[LuX] 
=>  prp^JnX* 


I<ut 

iime[Kut] 

time[KuX] 

iime[Kut] 

Kx 


ii)  We  need  to  prove  that  if  the  timed  language  Kx  is  £*-closed  and  controllable  wrt.  Lx  and  Eu  then 
KuX  =  untime(Kx)  is  closed  and  controllable  wrt.  Lut  and  Eu  U  {r}.  We  proceed  by  first  showing 
the  controllability  of  KuX  and  then  its  Xwt-controllability. 

Controllability: 

pr(Kx)((i:uU{e})xJR+)npr(Lx)  C  pr(Kx) 

=>  untime[pr(Kx)((Eu  U  {e})  x  IR+)  fl  pr(Lx)]  C  untime[pr(Kx)] 

=>  untime{pr(Kx)((TiU  U  {e})  x  IR+)]  0  untime\pr(Lx)]  C  uniime{pr(Kx )] 

=>  untime\pr(Kx)](Eu  U  {r})*  n  pr(untime(Lx))  C  untime[pr(Kx)] 

=>  pr(«nfime(ii!'t))(Eti  U  {r})*  C\  pr (untime (Lx))  C  pr(untime(Kx)) 

=►  pr(tf  U*)(E«  U  {r})*  fl  pr(Iut)  C  pr(KuX) 

Thus  KuX  =  «n<*me(A't)  is  controllable  wrt.  Xw*  and  Eu  U  {r}. 

Closedness: 

pr(Kx)f\Lx  =  K* 

^  untime{pr(Kx)  H  Lx]  =  untime(Kx) 

=>  ttnfjme[pr(XTt)]  O  wnfimefX*]  =  ttnfime(Kt) 
pr[«nf*me(iif<)]  O  =  untime(Kx) 

=*  n  Xut  =  tfut 

Thus  Jfut  =  uniime(Kx)  is  L^-closed. 

□ 
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Proof  of  Theorem  9.3: 

Let  But  be  an  untimed  language  that  is  controllable  and  closed. 
time(But)  is  controllable  and  closed. 

Controllability: 

Analogous  to  proof  of  Theorem  9.1. 

Closedness: 

We  need  to  show  that  pr[time(But)]°°  fl  time(Sui)  C  time(Bui). 
uniime(Sut).  We  first  have  the  following. 

v  G  time(Sut)  ^  untime{v)  G  Sut 
Also  the  following  implications  hold. 

v  €  pr[time(Bui)]00 

=>  pr(v)  C  pr[iime(But )] 

untime(pr(i/))  C  untime(pr[time(Bui)]) 

=>  pr(untime(i/))  C  pr[untime(iime(But))} 

=>  pr(untime(  v))  C  pr(But) 

=>  untime{v)  G 
From  this  we  conclude  that 

untime(v)  G  pr(But)°°  0  5“*  =  But 

=>  v  G  h’me(«nhme(i/))  C  time(Bui) 


We  need  to  show  that  B%  — 


Let  v  be  in  pr[time(But)]°°  O 


□ 


B  Reduction  from  Infinite  Traces  to  Finite  Traces 
B.l  Languages  of  Untimed  Traces 

For  the  case  where  the  specification  language  A  C  5  is  closed  wrt.  the  plant  5,  we  show  the  reduction 
of  the  supervisory  control  problem  for  infinite  untimed  traces  to  a  supervisory  control  problem  for  finite 
traces. 

Theorem  B.l  Let  L  C  E*,  ScEw  such  that  L°°  =  5  and  pr (L)  =  pr(5). 

i)  If  B  C  S  is  closed  relative  to  S  and  pr  (5)  is  [pr(5),Eu]- controllable,  then  K  =  pr(5)  Of  is 
L-closed,  [X,  controllable  and  p t(K°°)  =  pr (K). 

ii)  If  K  C  L  is  L-closed  and  [X,  E  u]- controllable  and  pr  (if00)  =  pr(if)  then  B  =  AT00  C  5  c/oserf 
relative  to  S  and  \pT(S)jHu]-controllable. 

Proof: 

i)  We  show  that  K  =  pr(I?)  0  X  is  X-closed  and  [X,  Eu]-controllable  and  pr(A°°)  =  pr(if). 
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Controllability: 

To  show  controllability  of  K,  observe  that  pr(K )  =  pr(B)  because  of  Lemma  A.l.  Then,  because 
pr( L)  =  pr(S ),  we  have  that  pr(K)  is  controllable  wrt.  pr(L ),  which  implies  that  K  is  controllable 
wrt.  L. 

Closedness: 

Clearly,  because  of  the  above,  K  =  pr(B)  f)L  =  pr(K )  0  L. 
pr(K«>)  =  pr(K): 

From  the  above,  K°°  —  B.  Hence  pr(K°°)  =  pr(B )  =  pr(K). 

ii)  Again,  we  show  controllability  and  closedness. 

Controllability: 

Clearly,  K°°  C  S.  To  show  controllability,  it  is  sufficient  to  show  that  pr(K )  =  pr(B).  This 
follows  from  pr(B)  =  pr(K°°)  =  pr(K). 

Closedness: 

This  follows  from  the  Ir-closedness  of  K.  Indeed, 

pr(B)°°  n  5  =  pr(B)°°  C\L°° 

=  [pr(B)  n  L]°° 

= 

=  K°° 

=  B 


□ 

The  previous  theorem  suggests  the  introduction  of  a  new  class  of  sublanguages.  Let  7i*(K)  be  the 
class  of  prefix-proper  sublanguages  of  K,  i.e. 

7C(K)  =  {T  C  K\  pr(T°°)  =  pr(T)}. 

In  other  words,  a  language  is  prefix-proper  if  every  string  is  a  proper  prefix  of  some  other  string  in  the 
language.  Let  C.FW* [•£,£«](#)  he  the  intersection  of  C*[L,  Eti](AT),  T*[L]{K)  and  7T(AT). 

Lemma  B.l 

i)  The  class  H*(K)  is  closed  under  union, 

ii)  The  class  CT7C[L,T,U]{K)  is  closed  under  union  and  has  a  supremal  element, 
denoted  sup  CT'H*[L,Y,%i\(K). 
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Proof: 


i)  Let  0  be  the  empty  language.  Clearly  0  £  Ti*(K),  so  ? i*(K)  is  non-empty.  Let  Ti,T2  €  Ti*{K). 
Clearly,  Ti  U  T2  C  A.  Also  note  that  for  any  T  £  7i*(K)  we  always  have  pr(T°°)  C  pr(T).  In 
addition, 


pr([TiUT2]°°)  D 


pr(Tf°UT^) 
pr(TnuPr(T?) 
Pr(Ti)  U  pr(Ti) 

pr(Tx  ur2). 


This  implies  that  Ti  U  T2  G  W*(K). 


ii)  This  follows  directly  from  (i)  and  Theorem  3.1. 


□ 


Corollary  B.l  Let  L,  E  C  E*  and  A  C  5  C  Ew  be  such  that  L°°  =  S,  pr (L)  =  pr(5)  and  £*  = 
pr(A)DL.  //A  is  closed  relative  to  S  then  supC/^fS,  EU](A)  =  [sup  CTJC[L,  Eu](£,)]°°. 

Proof:  We  show  containment  in  two  directions.  For  notational  convenience,  we  abbreviate  A 1  = 
sup CJ^[Sfl^\(A)  and  =  sup £„](£). 

LHS  C  RHS: 

If  >1  is  closed  relative  to  5,  then,  because  of  Theorem  3.4,  A 1  exists.  Let  If  =  pr(AT)  0  L.  By 
Lemma  A.l  we  have  K°°  =  Af .  If  K  C  E^  then,  we  have  because  of  the  monotonicity  of  the  infinite 
limit  operator,  AT  =  K°°  C  (d?T)°°. 

It  remains  to  show  that  K  C  E^ .  As  pr(AT)  is  [pr(S),  Eu]- controllable  and  AT  is  S-closed,  the 
language  K  =  pr(A T)  O  L  is  [L,  Eu]-controllable  and  L-closed  and  pr(/f00)  =  pr(K)  (Theorem  B.l). 
We  have 

K  =  pr(AT)  HLC  pr(A)  C\L  =  E 

and  so  K  E  Du](£’)  and  thus  K  C  2?T . 

RHS  C  LHS: 

As  is  L-closed  and  [L,  EtJ-controllable  and  pr[(J^I)°°]  =  pr(E^),  (E^)°°  is  closed  relative  to 
S  and  [pr(5),Eu]-controllable  (Theorem  B.l).  In  addition,  as  f?T  C  E,  we  also  have  because  of  the 
monotonicity  of  the  infinite  limit,  (E^)00  C  E°°  =  A  (Lemma  A.l).  Therefore  (£1)°°  is  in  CJF^S,  E  U\(A) 
and  hence  contained  in  A*.  □ 

From  the  above,  the  supremal  controllable  and  closed  sublanguage  of  a  given  specification  language 
for  the  infinite  trace  case  can  be  indirectly  computed  by  a  fixpoint  algorithm  on  related  finite  languages. 

The  following  theorem  states  that  a  solution  to  the  supervisory  control  problem  for  infinite  traces 
can  be  determined  in  polynomial  time. 

Theorem  B.2  Let  As  and  Aa  be  deterministic  Buchi  automata  for  the  plant  S  and  the  specification 
A.  If  the  plant  language  is  closed  relative  to  the  specification  language,  then  the  complexity  of  solving 
the  supervisory  control  problem  is  0( |-4$|2 \Aa |2)* 
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Proof:  By  Theorem  3.4  and  Corollary  B.l,  we  need  only  compute  [sup  CTJi*  [L,  Slt](E,)]°°,  where  L  is 
such  that  L°°  =  S  and  pr{L)  =  pr(S),  and  E  =  pr(A)  H  L. 

From  the  Biichi  automaton  for  the  plant  As  we  can  derive  a  finite  regular  automaton  Al  such  that 
C{Al)  =  L,  and  L  has  the  desired  properties.  Simply  interpret  the  Biichi  automaton  as  a  regular  finite 
trace  automaton  where  the  Biichi  recurrence  states  are  final  states.  An  automaton  Ae  for  E  is  obtained 
by  forming  E  =  pr(A)DL .  Taking  the  prefixes  is  0(\Aa  |2)-  The  automaton  Ae  inherits  the  structure  of 
Al •  Its  cross-product  with  Al  will  thus  have  |.4s||A4|  states.  Computing  sup  CT*[L,  T>U](E)  using  the 
finite  automata  was  shown  to  be  quadratic  in  the  cross-product  size.  The  computation  of  the  language 
supCT7i*[L^u](E)  is  similar  except  that  it  also  takes  into  account  the  proper-prefix  property,  by 
simply  requiring  every  state  to  have  an  outgoing  transition. 

Finally  the  limit  operation  is  done  by  replacing  the  final  states  with  Biichi  states,  and  interpreting 
the  automaton  as  a  Biichi  automaton.  From  this  the  theorem  follows.  □ 


B.2  Languages  of  Timed  Traces 

B.2.1  Reduction  to  Untimed  Supervisory  Control  Problem 

As  for  the  untimed  supervisory  problem,  if  the  plant  of  infinite  timed  traces  is  closed  relative  to  its 
specification,  then  the  supervisory  control  problem  reduces  to  that  over  finite  timed  traces.  In  the  rest 
of  this  section,  we  assume  that  the  plant  language  is  closed  relative  to  its  specification.  The  supremal 
element  may  be  characterized  in  terms  of  the  supremal  element  of  a  corresponding  finite  trace  class  of 
languages.  The  following  definition  and  results  match  those  of  subsection  B.l.  The  proofs  are  similar 
and  are  omitted. 

Theorem  B.3  Let  L  be  a  language  of  finite  timed  traces  over  E  and  S  a  language  of  infinite  timed 
traces  over  E  such  that  L°°  =  S  and  pr (X)  =  pr(S). 

i)  If  B  C  S  is  closed  relative  to  S  and  pr (B)  is  [pr(S),Eu]- controllable,  then  K  =  pr (£)  f)  L  is 
L-closed,  [ L ,  Hu]- controllable  and  p i(K°°)  =  pr(Ff). 

ii)  If  K  C  L  is  L-closed  and  [L,  E u]~ controllable  and  pr(jFf°°)  =  pr(A)  then  B  =  K°°  C  S  is  closed 
relative  to  S  and  [pr(S),  controllable.  □ 

Let  K  be  a  language  of  finite  timed  traces.  Define  be  the  class  of  prefix-proper  timed 

sublanguages  of  K>  i.e. 

W(K)  =  {T  C  K  |  pr(T°°)  =  pr(T)}. 

Let  CFHt'*[Lil}u](K)  be  the  intersection  of  CX'*[L,  ^(K),  T1' *[L](K )  and 

Lemma  B.2 

i)  The  class  Hty*{K)  is  closed  under  union. 

ii)  The  class  Eu](Jf)  is  closed  under  union  and  has  a  supremal  element, 

denoted  sup *>*[!,,  E„](tf).  ° 
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Corollary  B.2  Let  L  be  a  language  of  finite  timed  traces  over  E,  and  both  S  and  A  be  languages  of 
infinite  timed  traces.  Suppose  i°°  =  5,  pr (L)  =  pr(S)  and  E  =  pr(j4)  C\L.  If  A  is  closed  relative  to  S 
then 

sup  CTt,w[S,  Su](-A)  =  [supCfHt’*[L,'£u](E)]°°. 

□ 

Theorem  B.4  Let  S  be  an  infinite  timed  trace  plant  model  and  A  be  a  specification  language  for  the 
plant  such  that  A  is  closed  relative  to  S.  The  following  three  statements  are  equivalent. 

i)  The  supervisory  control  problem  has  a  non-trivial  solution. 

ii)  s\ipCft’u>[S,'Lu\(A)^0. 

Hi)  sup  C?t'*[L,Vu]{E)±0. 

where  L  and  E  are  as  in  the  hypothesis  of  Corollary  B.2 ,  i.e.  L°°  =  S,  pr(I>)  =  pr(S)  and  E  —  pr(A)C\L. 

Proof:  This  follows  directly  from  Theorems  6.1  and  6.3  and  Corollary  B.2.  □ 

The  supervisory  control  problem  for  infinite  timed  traces  can  first  be  reduced  to  a  finite  timed  trace 
problem  by  Corollary  B.2  of  Section  B.2.  The  derived  finite  timed  trace  problem  must  also  consider 
the  proper-prefix  property  of  languages.  Theorem  9.1  and  Corollary  9.1  can  easily  be  adapted  to 
accommodate  this  property.  Combining  all  these  results  leads  to  the  following  characterization  for  the 
supervisory  control  problem  over  infinite  timed  traces. 

Theorem  B.5  Let  L  be  a  language  of  finite  timed  traces  over  E,  and  both  S  and  A  be  languages  of 
infinite  timed  traces.  Suppose  L°°  =  S,  pr (L)  =  pr(S)  and  E  =  pr(^4)  D  L.  If  A  is  closed  relative  to  S 
then 

sup  Cri,w[S,  Su](j4)  =  [sup  CTyC^lL,  Eu](£’)]°°  =  [time(supC^?T [untime(L),  E^lrJKunt^i;)))]00. 

□ 


B.2. 2  Synthesis  Procedure 

Thus  given  two  languages  of  infinite  timed  traces,  it  suffices  to  solve  a  revised  control  problem  over 
untimed  languages  of  finite  traces;  when  the  untimed  supremal  controllable  and  closed  language  is 
timed  and  its  limit  is  taken  it  yields  the  corresponding  supremal  controllable  and  closed  language  of 
infinite  timed  traces.  When  the  problem  is  given  in  terms  of  deterministic  timed  Biichi  automata,  a 
supervisor  may  be  synthesized  according  to  the  procedure  shown  in  Figure  14. 

Theorem  B.6  Let  A  and  S  be  languages  of  infinite  timed  traces  represented  by  deterministic  timed 
Buchi  automata.  If  A  is  closed  relative  to  S,  then  there  is  an  algorithm  to  solve  the  supervisory  control 
problem  for  infinite  timed  traces. 
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Proof:  In  light  of  Theorems  B.5  and  B.2,  it  suffices  to  show  how  to  construct  untimed  automata  for 
the  languages  untime(L)  and  untime(E)i  where  L°°  =  5,  pr(L)  =  pr(S )  and  E  =  pr(A)C\L.  We  first 
construct  these  automata  and  then  prove  that  they  accept  languages  satisfying  these  properties. 

As  for  finite  traces,  we  first  obtain  the  deterministic  synchronized  automata  A!a  and  A's  from  the 
deterministic  timed  automata  Aa  for  A  and  As  for  S .  These  automata  are  transformed  into  untimed 
Biichi  automata  and  Aa  accepting  their  untimed  languages  Sut  =  untime(S)  and  Aut  =  untime(A), 
as  given  by  Lemma  8.3.  It  is  a  standard  operation  to  derive  from  a  Biichi  automaton  an  automaton  on 
finite  strings  that  represents  the  original  language:  a  state  is  final  if  and  only  if  it  is  final  in  the  original 
Biichi  automaton.  Let  A's  be  the  regular  automaton  so  obtained.  We  remove  from  ^'’s  final  set  every 
state  which  it  is  not  reachable  from  itself,  giving  a  new  automaton  A$ ".  Now  A'g”  accepts  Lut  such  that 
(Lut)°°  =  Sut  and  pr(Lut)  =  pr(5ut).  It  is  also  a  standard  procedure  to  obtain  from  the  automaton  Aa 
an  automaton  accepting  the  prefixes  of  Aut.  Call  this  new  automaton  Aa.  Now  take  the  crossproduct 
of  Aa  and  As" .  This  automaton  accepts  Eut . 

We  now  show  that  the  languages  L  =  iime(Lut)  and  E  =  time(Eut)  satisfy  the  hypothesis  of 
Theorem  B.5.  For  L,  we  have 


and 


Furthermore 


pr(L)  =  pr(iime(Lut)) 
=  iime(pr(Lut)) 
=  iimeipriff*)) 
=  pr(<*me(5ut)) 
=  pr(S) 

L°°  =  ( time(Lut))°° 

=  time((Lut)°°) 
=  time(Sut) 

=  S 


E  =  iime(Eut) 

=  time(pr(Aut)  n  Lut) 

=  time(pr(Aut))  fl  time(Lui) 
=  pr(iime(Aut))  fl  L 
=  pr{A)  O  L 


□ 


The  solution  has  the  same  complexity  up  to  an  exponential  as  for  languages  of  finite  timed  traces, 
since  the  additional  computations  are  all  polynomial  operations. 
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request]  x  <  5  &  y  >  1  \reset{x} 


Figure  1:  Timed  Regular  Automaton  for  a  simple  language  of  request  and  grant  events 
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Figure  2:  Diagram  showing  derivation  of  untime{v) 
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Figure  4:  TBA  As*  for  plant  S * 


TIMED  PROBLEM  UNTIMED  PROBLEM 

S*  1  5"* 

A*  >  ”=£*e  <  Am 

Sti  4  fc  U  {t} 

ij,  compute 

VC?“[Sut,XuU{T}](Aui) 

^  derive 

‘  €  C^‘-U'[5‘,EU](A‘)  A?  €  Eu  U  {r}](A“‘) 


Figure  5:  Synthesis  procedure  for  infinite  timed  traces 
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set-temperature;  TRUE  ;  resei{} 
en.ier.gas;  TRUE  ;  reset {} 


Figure  7:  Specification  model  E 
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1 


5 


Figure  8:  Time  regions 
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refuse;  TRUE;  re$e<{y} 

grant ;  y  <  5;  reset{y} 

Figure  10:  TBA  plant  model  for  a  process  requesting  a  resource 


grant]  z  <  6;  reset{z} 
request]  TRUE;  reset {} 


refuse / grant]  TRUE]  reset{z } 
request]  TRUE;  rese*{} 


Figure  11:  Specification  TBA  Aa  requiring  all  responses  to  be  grants  that  are 
made  within  6  seconds  of  each  other 


0  <  z  <  2  :  7  =  {grant,  refuse } 

2  <  z  <  5  :  7  =  {^ran*,  refuse,  request } 

request]  reset {} 

^rantf;  resef{*} 


7  =  {^ranf ,  re/use} 


Figure  12:  Timed  supervisor  for  non-terminating  process  example 
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TIMED  PROBLEM  UNTIMED  PROBLEM 
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Figure  14:  Synthesis  procedure  for  infinite  timed  traces  if  A  closed  wrt.  S 
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